[ https://issues.apache.org/jira/browse/SAMZA-2683?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Chen resolved SAMZA-2683. -------------------------------- Resolution: Fixed closed inĀ https://github.com/apache/samza/pull/1527 > Bump up Scalatra version to pull latest dependencies > ---------------------------------------------------- > > Key: SAMZA-2683 > URL: https://issues.apache.org/jira/browse/SAMZA-2683 > Project: Samza > Issue Type: Improvement > Affects Versions: 1.6 > Reporter: Daniel Chen > Assignee: Daniel Chen > Priority: Major > Fix For: 1.7 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Scalatra 2.5.0 is pulling in outdated libraries, namely log4j:1.2.14 which > possesses security concerns: > "Included in Log4j 1.2 is a SocketServer class that is vulnerable to > deserialization of untrusted data which can be exploited to remotely execute > arbitrary code when combined with a deserialization gadget when listening to > untrusted network traffic for log data. This affects Log4j versions up to 1.2 > up to 1.2.17. Users are advised to migrate to > `org.apache.logging.log4j:log4j-core` remediation: No fix is known for this > vulnerability" > The latest Scalatra 2.7.1 version no longer depends on this dangerous library -- This message was sent by Atlassian Jira (v8.3.4#803005)