[
https://issues.apache.org/jira/browse/AVRO-3111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17325132#comment-17325132
]
ASF subversion and git services commented on AVRO-3111:
-------------------------------------------------------
Commit 4961457f91d08a5907ebd71ca9ed088cea30f342 in avro's branch
refs/heads/dependabot/maven/lang/java/grpc.version-1.37.0 from Ismaël Mejía
[ https://gitbox.apache.org/repos/asf?p=avro.git;h=4961457 ]
AVRO-3111: Update Hadoop versions to prevent false-positive security reports
(#1188)
* AVRO-3111: Upgrade hadoop version to 2.10.1 and align example versions
* AVRO-3111: Update examples to use latest released Avro version (1.10.2)
> Update Hadoop versions to prevent false-positive security reports
> -----------------------------------------------------------------
>
> Key: AVRO-3111
> URL: https://issues.apache.org/jira/browse/AVRO-3111
> Project: Apache Avro
> Issue Type: Bug
> Components: java
> Affects Versions: 1.10.1, 1.10.2
> Environment: Docker image built on library/buildpack-deps:buster-curl
> ([buildpack-deps (docker.com)|https://hub.docker.com/_/buildpack-deps])
> Reporter: David L. Day
> Assignee: Ismaël Mejía
> Priority: Major
> Fix For: 1.11.0
>
>
> When installing avro-tools in a container on a debian image, my company's
> image scanner reports CVE-2019-17195:
> _Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions
> while parsing a JWT, which could result in an application crash (potential
> information disclosure) or a potential authentication bypass._
> I see other Apache projects have had this CVE reported and have been fixed,
> but did not see where this was reported for Apache Avro Tools specifically.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
