Iv9eni opened a new pull request, #2098: URL: https://github.com/apache/zookeeper/pull/2098
See https://issues.apache.org/jira/browse/ZOOKEEPER-4778. We are using versions of dependencies that currently have high severity vulnerabilities that should be taken care of. The first one appeared from io.netty_netty-codec:4.1.94.Final which has had a fix 58 days ago - https://nvd.nist.gov/vuln/detail/CVE-2023-44487. I have simply updated it to the recommended version in Prisma Cloud which is 4.1.100. The second vulnerability is in org.eclipse.jetty_jetty-io:9.4.52.v20230823 which has fix since 49 days ago in versions 11.0.16, 10.0.16, 9.4.53 - https://nvd.nist.gov/vuln/detail/CVE-2023-36478. I simply just patched it instead of using a new major version. The final vulnerability is in two logback dependencies we use ch.qos.logback_logback-core and ch.qos.logback_logback-classic versions 1.2.10. Fixes were found 16 days ago in versions 1.2.13, 1.3.12, and 1.4.12 - https://nvd.nist.gov/vuln/detail/CVE-2023-6378. I simply patched it instead of updating minor versions. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
