[
https://issues.apache.org/jira/browse/ZOOKEEPER-4644?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mate Szalay-Beko resolved ZOOKEEPER-4644.
-----------------------------------------
Fix Version/s: 3.6.4
Resolution: Fixed
Issue resolved by pull request 1957
[https://github.com/apache/zookeeper/pull/1957]
> Update 3rd party library versions before release 3.6.4
> ------------------------------------------------------
>
> Key: ZOOKEEPER-4644
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4644
> Project: ZooKeeper
> Issue Type: Task
> Affects Versions: 3.6.3
> Reporter: Mate Szalay-Beko
> Assignee: Mate Szalay-Beko
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.6.4
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> The last 3.6 release happened long time ago and before releasing 3.6.4, we
> need to make sure that no 3rd party libraries has any CVE issues. I run CVE
> checks and compared the 3pp library versions between the active branches and
> plan to update some libraries.
>
> {code:java}
> mvn clean package -DskipTests dependency-check:check
> (...)
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check
> (default-cli) on project zookeeper:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR] commons-cli-1.2.jar: CVE-2021-37533(6.5)
> [ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5),
> CVE-2022-42004(7.5)
> [ERROR] jetty-io-9.4.43.v20210629.jar: CVE-2022-2047(2.7), CVE-2022-2048(7.5)
> [ERROR] jetty-server-9.4.43.v20210629.jar: CVE-2022-2047(2.7),
> CVE-2022-2048(7.5)
> [ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-24823(5.5)
> {code}
> beside these we might need to update some maven plugins.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
