[ https://issues.apache.org/jira/browse/AVRO-2217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fokko Driesprong resolved AVRO-2217. ------------------------------------ Resolution: Fixed Assignee: Fokko Driesprong Fix Version/s: 1.9.0 Jackson and Apache is already updated. We will get rid of Guava in AVRO-2217. > Vulnerabilities in avro bundled packages > ---------------------------------------- > > Key: AVRO-2217 > URL: https://issues.apache.org/jira/browse/AVRO-2217 > Project: Apache Avro > Issue Type: Bug > Components: java > Affects Versions: 1.8.2 > Reporter: Prasanth Pallamreddy > Assignee: Fokko Driesprong > Priority: Critical > Fix For: 1.9.0 > > > The following vulnerabilities exist in the packages bundled by Avro. These > packages need to be upgraded to the latest versions. Although a few of these > vulnerabilities were raised a couple of years ago in AVRO-1126 and an attempt > to address the backwards compatibility issue in AVRO-1605 there does not > appear to be a resolution. If there is no resolution on these issues, we may > be forced to fork based on [this PR|https://github.com/apache/avro/pull/87]. > > org.codehaus.jackson:jackson-mapper-asl:1.9.13 which is known to have these > critical / high vulns: > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-17485] > [https://nvd.nist.gov/vuln/detail/CVE-2018-5968] > org.codehaus.jackson:jackson-core-asl:1.9.13 which has this high > vulnerability: > - [https://nvd.nist.gov/vuln/detail/CVE-2016-7051] > org.apache.commons:commons-compress:1.8.1 has a DOS vulnerability: > - [https://nvd.nist.gov/vuln/detail/CVE-2018-11771] > com.google.guava:guava:11.0.2 > -[https://nvd.nist.gov/vuln/detail/CVE-2018-10237] > > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)