[jira] [Commented] (THRIFT-5375) Put org.apache.tomcat.embed:tomcat-embed-core into scope test

Sun, 01 Aug 2021 23:22:08 -0700 


    [ 
https://issues.apache.org/jira/browse/THRIFT-5375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17391354#comment-17391354
 ] 

Eric Colinet commented on THRIFT-5375:
--------------------------------------

Hi [~jensg] & [~andy],

I wonder if the status change is related to my question... Will it be released 
soon ?

As a quick reminder, there is two problems:
 * a really outdated tomcat-8.5.46 dependency affected by 7 different CVEs :
 ** 
[Medium] CVE-2021-24122: 
[https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-1060050]
 ** 
[Medium] CVE-2020-17527: 
[https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-1058922]
 ** 
[High] CVE-2021-25329: 
[https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-1080637]
 ** 
[Medium] CVE-2021-25122: 
[https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-1080639]
 ** 
[Medium] CVE-2020-13934: 
[https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-584427]
 ** 
[High] CVE-2020-9484: [https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-570036]
 ** {{[Low] CVE-2019-17563: 
[https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-538469]}}

 * the dependency included by error

 

Thanks,

Eric

> Put org.apache.tomcat.embed:tomcat-embed-core into scope test
> -------------------------------------------------------------
>
>                 Key: THRIFT-5375
>                 URL: https://issues.apache.org/jira/browse/THRIFT-5375
>             Project: Thrift
>          Issue Type: Improvement
>          Components: Java - Library
>    Affects Versions: 0.14.0, 0.14.1
>            Reporter: Andy Seaborne
>            Assignee: Andy Seaborne
>            Priority: Major
>             Fix For: 0.15.0
>
>
> 0.14.0 adds org.apache.tomcat.embed:tomcat-embed-core as a dependency with 
> scope=compile. It becomes a dependency of systems using libthrift(java).
> It includes a tomcat-specific its own javax.servlet causing a conflict with 
> javax.servlet:javax.servlet-api:jar:3.1.0 It gets included in combined jars 
> that use Jetty.
> It causes tomcat-emdedded to be downstream systems that produce combined jars 
> and docker images.
> The dependency was added by THRIFT-4949.
> The use of this seems to be specific to 
> lib/java/test/org/apache/thrift/test/TestTServletServer.java and is not 
> necessary at runtime.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to