[jira] [Commented] (AVRO-2217) Vulnerabilities in avro bundled packages

Mon, 12 Nov 2018 09:15:34 -0800 


    [ 
https://issues.apache.org/jira/browse/AVRO-2217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16684111#comment-16684111
 ] 

ASF GitHub Bot commented on AVRO-2217:
--------------------------------------

Fokko commented on issue #373: AVRO-2217 Bump Guava to patch security issues
URL: https://github.com/apache/avro/pull/373#issuecomment-437959848
 
 
   Oops, that's a typo, thanks @nandorKollar. I've did a small bump since Guava 
is always dangerous to update. To keep compatibility, I've looked at several 
projects, and a couple of them use `14.0.1` :-)

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Vulnerabilities in avro bundled packages
> ----------------------------------------
>
>                 Key: AVRO-2217
>                 URL: https://issues.apache.org/jira/browse/AVRO-2217
>             Project: Apache Avro
>          Issue Type: Bug
>          Components: java
>    Affects Versions: 1.8.2
>            Reporter: Prasanth Pallamreddy
>            Priority: Critical
>
> The following vulnerabilities exist in the packages bundled by Avro. These 
> packages need to be upgraded to the latest versions. Although a few of these 
> vulnerabilities were raised a couple of years ago in AVRO-1126 and an attempt 
> to address the backwards compatibility issue in AVRO-1605 there does not 
> appear to be a resolution. If there is no resolution on these issues, we may 
> be forced to fork based on [this PR|https://github.com/apache/avro/pull/87]. 
>  
> org.codehaus.jackson:jackson-mapper-asl:1.9.13 which is known to have these 
> critical / high vulns:
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
> org.codehaus.jackson:jackson-core-asl:1.9.13 which has this high 
> vulnerability:
>   - [https://nvd.nist.gov/vuln/detail/CVE-2016-7051]
> org.apache.commons:commons-compress:1.8.1 has a DOS vulnerability:
>   - [https://nvd.nist.gov/vuln/detail/CVE-2018-11771]
>  com.google.guava:guava:11.0.2
>   -[https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to