[
https://issues.apache.org/jira/browse/AVRO-2217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fokko Driesprong resolved AVRO-2217.
------------------------------------
Resolution: Fixed
Assignee: Fokko Driesprong
Fix Version/s: 1.9.0
Jackson and Apache is already updated. We will get rid of Guava in AVRO-2217.
> Vulnerabilities in avro bundled packages
> ----------------------------------------
>
> Key: AVRO-2217
> URL: https://issues.apache.org/jira/browse/AVRO-2217
> Project: Apache Avro
> Issue Type: Bug
> Components: java
> Affects Versions: 1.8.2
> Reporter: Prasanth Pallamreddy
> Assignee: Fokko Driesprong
> Priority: Critical
> Fix For: 1.9.0
>
>
> The following vulnerabilities exist in the packages bundled by Avro. These
> packages need to be upgraded to the latest versions. Although a few of these
> vulnerabilities were raised a couple of years ago in AVRO-1126 and an attempt
> to address the backwards compatibility issue in AVRO-1605 there does not
> appear to be a resolution. If there is no resolution on these issues, we may
> be forced to fork based on [this PR|https://github.com/apache/avro/pull/87].
>
> org.codehaus.jackson:jackson-mapper-asl:1.9.13 which is known to have these
> critical / high vulns:
> [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
> [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
> [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
> [https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
> [https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
> org.codehaus.jackson:jackson-core-asl:1.9.13 which has this high
> vulnerability:
> - [https://nvd.nist.gov/vuln/detail/CVE-2016-7051]
> org.apache.commons:commons-compress:1.8.1 has a DOS vulnerability:
> - [https://nvd.nist.gov/vuln/detail/CVE-2018-11771]
> com.google.guava:guava:11.0.2
> -[https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
