[
https://issues.apache.org/jira/browse/ASTERIXDB-3057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17584989#comment-17584989
]
ASF subversion and git services commented on ASTERIXDB-3057:
------------------------------------------------------------
Commit 359e5c259fdbc286ce3fecaebce68889588f09df in asterixdb's branch
refs/heads/master from Hussain Towaileb
[ https://gitbox.apache.org/repos/asf?p=asterixdb.git;h=359e5c259f ]
[ASTERIXDB-3057][OTH]: Upgrade to jetty-util 9.4.48 to address CVEs
Details:
- CVEs:
- https://nvd.nist.gov/vuln/detail/CVE-2022-2047
- https://nvd.nist.gov/vuln/detail/CVE-2022-2048
Change-Id: I98a042024a31208e074a074657457efba781306b
Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17043
Reviewed-by: Hussain Towaileb <[email protected]>
Reviewed-by: Michael Blow <[email protected]>
Tested-by: Hussain Towaileb <[email protected]>
> Upgrade jetty to 9.4.48
> ------------------------
>
> Key: ASTERIXDB-3057
> URL: https://issues.apache.org/jira/browse/ASTERIXDB-3057
> Project: Apache AsterixDB
> Issue Type: Bug
> Components: OTH - Other
> Affects Versions: 0.9.9
> Reporter: Hussain Towaileb
> Assignee: Hussain Towaileb
> Priority: Major
> Fix For: 0.9.9
>
>
> jetty-util and jetty-util-ajax versions below 9.4.47 have the CVE:
> [https://nvd.nist.gov/vuln/detail/CVE-2022-2048#range-8130163]
> We have infected versions coming as transitive dependencies from the hadoop
> 3.3.2, hadoop seems to address this in 3.3.4 which is not released yet.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
