[ https://issues.apache.org/jira/browse/ZOOKEEPER-4644?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mate Szalay-Beko resolved ZOOKEEPER-4644. ----------------------------------------- Fix Version/s: 3.6.4 Resolution: Fixed Issue resolved by pull request 1957 [https://github.com/apache/zookeeper/pull/1957] > Update 3rd party library versions before release 3.6.4 > ------------------------------------------------------ > > Key: ZOOKEEPER-4644 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4644 > Project: ZooKeeper > Issue Type: Task > Affects Versions: 3.6.3 > Reporter: Mate Szalay-Beko > Assignee: Mate Szalay-Beko > Priority: Major > Labels: pull-request-available > Fix For: 3.6.4 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > The last 3.6 release happened long time ago and before releasing 3.6.4, we > need to make sure that no 3rd party libraries has any CVE issues. I run CVE > checks and compared the 3pp library versions between the active branches and > plan to update some libraries. > > {code:java} > mvn clean package -DskipTests dependency-check:check > (...) > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check > (default-cli) on project zookeeper: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] commons-cli-1.2.jar: CVE-2021-37533(6.5) > [ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), > CVE-2022-42004(7.5) > [ERROR] jetty-io-9.4.43.v20210629.jar: CVE-2022-2047(2.7), CVE-2022-2048(7.5) > [ERROR] jetty-server-9.4.43.v20210629.jar: CVE-2022-2047(2.7), > CVE-2022-2048(7.5) > [ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-24823(5.5) > {code} > beside these we might need to update some maven plugins. > -- This message was sent by Atlassian Jira (v8.20.10#820010)