[
https://issues.apache.org/jira/browse/AVRO-3227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17425700#comment-17425700
]
Daniel Korczak commented on AVRO-3227:
--------------------------------------
On rereview, this appears corrected in
[a2cfd3519c20a3022c11ff01c1f42acfad6b0108|https://github.com/apache/avro/commit/a2cfd3519c20a3022c11ff01c1f42acfad6b0108]
but has been pending release for a while. At this point in time, it seems
slated for
[release-1.11.0-rc1|https://github.com/apache/avro/releases/tag/release-1.11.0-rc1]
- but nothing yet at this time.
> Multiple CVEs via Apache Compress
> ---------------------------------
>
> Key: AVRO-3227
> URL: https://issues.apache.org/jira/browse/AVRO-3227
> Project: Apache Avro
> Issue Type: Bug
> Components: java
> Affects Versions: 1.10.2
> Reporter: Daniel Korczak
> Priority: Minor
>
> Latest versions of groupId: *org.apache.avro* artifactId: *Avro* are affected
> by vulnerabilities in the dependent library groupId: *org.apache.commons*
> artifactId: *commons-compress*.
>
> These security issues can be remediated by updating from commons-compress
> 1.19, to 1.21.
>
> See:
> [CVE-2021-35515|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35515]
> [CVE-2021-35517|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517]
> [CVE-2021-36090|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090]
> [CVE-2021-35516|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35516]
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
