[
https://issues.apache.org/jira/browse/KYLIN-5159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17517987#comment-17517987
]
ASF subversion and git services commented on KYLIN-5159:
--------------------------------------------------------
Commit 0fa41762ec0fc69c0b8029fc8a81b273388bbf1d in kylin's branch
refs/heads/main from PJ Fanning
[ https://gitbox.apache.org/repos/asf?p=kylin.git;h=0fa41762ec ]
[KYLIN-5159] upgrade some common libs due to CVEs (#1814)
* [KYLIN-5159] upgrade some common libs due to CVEs
* upgrade xerces and jetty
> there are several dependencies in main branch with CVEs
> -------------------------------------------------------
>
> Key: KYLIN-5159
> URL: https://issues.apache.org/jira/browse/KYLIN-5159
> Project: Kylin
> Issue Type: Improvement
> Reporter: PJ Fanning
> Priority: Major
>
> Some of the more readily addressed ones include:
> * upgrade to commons-compress 1.21 - see cves in
> [https://mvnrepository.com/artifact/org.apache.commons/commons-compress]
> * upgrade to h2 2.1.210 - see cves in
> [https://mvnrepository.com/artifact/com.h2database/h2]
> * upgrade to httpclient 4.5.13 - see cves in
> [https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient]
> * update to commons-io 2.7 (or 2.11.0 to get latest code) - see
> [https://github.com/advisories/GHSA-gwrp-pvrq-jmwv]
> * upgrade to xerces 2.12.2 - see cves in
> [https://mvnrepository.com/artifact/xerces/xercesImpl]
> * many others - but I may be looking at the wrong branch given the large
> number of vulnerable jarsĀ
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
