[jira] [Commented] (NIFIREG-359) Update maven dependencies that have CVEs

Mon, 10 Feb 2020 08:33:59 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFIREG-359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17033733#comment-17033733
 ] 

Andy LoPresto commented on NIFIREG-359:
---------------------------------------

Thanks for reporting this. The codebase is continually scanned by members of 
the NiFi security team, and dependency vulnerability upgrades like this are 
undertaken on an ongoing cycle. These vulnerabilities will be addressed in the 
next release of NiFi Registry. 

Please familiarize yourself with the [Apache Project Security for 
Committers|https://www.apache.org/security/committers.html] guidelines, which 
cover reporting processes for these types of issues. As always, 
[[email protected]|mailto:[email protected]] is the best point of 
contact for such conversations.  

> Update maven dependencies that have CVEs
> ----------------------------------------
>
>                 Key: NIFIREG-359
>                 URL: https://issues.apache.org/jira/browse/NIFIREG-359
>             Project: NiFi Registry
>          Issue Type: Improvement
>            Reporter: Alex Herman
>            Priority: Major
>
> Running an AppScan vulnerability analysis on the 0.5.0 tag of NiFi Registry 
> found the following issues with dependencies:
>  * jackson-databind-2.9.9.1.jar - CVE-2019-16335, CVE-2019-14379, 
> CVE-2019-16942, CVE-2019-17267, CVE-2019-16943, CVE-2019-17531, 
> CVE-2019-14540, CVE-2019-14439
>  * h2-1.4.197.jar - CVE-2018-10054, CVE-2018-14335
>  * httpclient-4.5.2.jar (transitive dependency of org.eclipse.jgit) - 
> https://github.com/apache/httpcomponents-client/commit/0554271750599756d4946c0d7ba43d04b1a7b220
>  * hibernate-validator-6.0.17.Final.jar (transitive dependency of spring) - 
> CVE-2019-10219
>  * jackson-databind-2.9.8.jar (transitive dependency of aws-java-sdk-version) 
> - CVE-2019-17267, CVE-2019-16943, CVE-2019-16942, CVE-2019-16335, 
> CVE-2019-14540, CVE-2019-17531, CVE-2019-14379, CVE-2019-12814, 
> CVE-2019-12086, CVE-2019-12384, CVE-2019-14439
>  * netty-codec-http2-4.1.33.Final.jar (transitive dependency of 
> aws-java-sdk-version) - CVE-2019-9518
> I'm not sure what the process is for addressing things like this, but I can 
> put together a pull request, if that would be helpful.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to