[jira] [Commented] (AMQ-7432) Vulnerable dependencies in your project.(CVEs)

Mon, 02 Mar 2020 09:33:53 -0800 


    [ 
https://issues.apache.org/jira/browse/AMQ-7432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17049469#comment-17049469
 ] 

ASF subversion and git services commented on AMQ-7432:
------------------------------------------------------

Commit 84b2c4fed5322008d039e24c1756c78a7558714d in activemq's branch 
refs/heads/activemq-5.15.x from jbonofre
[ https://gitbox.apache.org/repos/asf?p=activemq.git;h=84b2c4f ]

[AMQ-7432] Upgrade to mqtt-client 1.16

(cherry picked from commit 0b0ab2a03a60b28c57145ccb17c79da50b9d17d7)


> Vulnerable dependencies in your project.(CVEs)
> ----------------------------------------------
>
>                 Key: AMQ-7432
>                 URL: https://issues.apache.org/jira/browse/AMQ-7432
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: AMQP, Broker, LevelDB, MQTT
>            Reporter: XuCongying
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>             Fix For: 5.16.0, 5.15.12
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> I found your project used some dependencies that contain CVEs. To prevent 
> potential security risks it may cause, I suggest to update the library 
> dependency. Please note the following details.
>  
> Vulnerable Library Version: org.apache.hadoop : hadoop-core : 1.0.4
>   CVE ID: 
> [CVE-2013-2192](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2192)
>   Import Path: activemq-leveldb-store/pom.xml
>   Suggested Safe Versions: 1.2.1
>  
> Vulnerable Library Version: io.netty : netty-codec-http : 4.1.43.Final
>   CVE ID: 
> [CVE-2019-20444](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444),
>  
> [CVE-2020-7238](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7238),
>  
> [CVE-2019-20445](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445)
>   Import Path: activemq-amqp/pom.xml
>   Suggested Safe Versions: 4.1.44.Final, 4.1.45.Final, 5.0.0.Alpha1, 
> 5.0.0.Alpha2
>  
> Vulnerable Library Version: org.fusesource.mqtt-client : mqtt-client : 1.15
>   CVE ID: 
> [CVE-2019-0222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222)
>   Import Path: activemq-mqtt/pom.xml, activemq-unit-tests/pom.xml
>   Suggested Safe Versions: 1.16
>  
> Vulnerable Library Version: com.fasterxml.jackson.core : jackson-databind : 
> 2.9.10.1
>   CVE ID: 
> [CVE-2020-8840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840),
>  
> [CVE-2019-20330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330)
>   Import Path: activemq-broker/pom.xml, assembly/pom.xml, 
> activemq-partition/pom.xml, activemq-leveldb-store/pom.xml, 
> activemq-console/pom.xml
>   Suggested Safe Versions: 2.10.0, 2.10.1, 2.10.2, 2.9.10.3



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to