[
https://issues.apache.org/jira/browse/QPID-8485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17229374#comment-17229374
]
ASF subversion and git services commented on QPID-8485:
-------------------------------------------------------
Commit 0aed77fbe88a4f8455c61be14ffc2d6c705404c4 in qpid-broker-j's branch
refs/heads/8.0.x from Dedeepya T
[ https://gitbox.apache.org/repos/asf?p=qpid-broker-j.git;h=0aed77f ]
QPID-8485:[Broker-J]upgrade guava version to latest
This closes #70
> Upgrade guava version to latest
> -------------------------------
>
> Key: QPID-8485
> URL: https://issues.apache.org/jira/browse/QPID-8485
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Reporter: Dedeepya
> Priority: Minor
> Fix For: qpid-java-broker-8.0.3
>
>
> Security vulnerabilities are reported with the guava version below 28.2-jre.
> This package are vulnerable to Information Disclosure. The file permissions
> on the file created by com.google.common.io.Files.createTempDir allows an
> attacker running a malicious program co-resident on the same machine can
> steal secrets stored in this directory. This is because by default on
> unix-like operating systems the /temp directory is shared between all users,
> so if the correct file permissions aren't set by the directory/file creator,
> the file becomes readable by all other users on that system.
> [https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415]
> The Qpid Broker does not utilize the impacted functionality. Thus, it is not
> vulnerable to the reported issue. Though, we need to upgrade the guava
> version in order to stop from being flagged by scanning tools
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
