[
https://issues.apache.org/jira/browse/CURATOR-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534724#comment-17534724
]
PJ Fanning commented on CURATOR-502:
------------------------------------
Would it be possible to consider upgrading guava beyond the version used in
[https://mvnrepository.com/artifact/org.apache.curator/curator-client/5.2.1]
(27.0.1-jre)?
This guava version has a CVE and downstream projects like Hadoop and Spark use
this guava version basically because curator-client requires it.
> Update dependency com.google.guava:guava of org.apache.curator:curator-client
> -----------------------------------------------------------------------------
>
> Key: CURATOR-502
> URL: https://issues.apache.org/jira/browse/CURATOR-502
> Project: Apache Curator
> Issue Type: Bug
> Components: Client
> Affects Versions: 4.1.0
> Reporter: DW
> Priority: Major
>
> Please update the dependency com.google.guava:guava of
> org.apache.curator:curator-client due to open security vulnerability of the
> used com.google.guava:guava 20.0 [(including) 11.0 up to (excluding) 24.1.1].
> Please upgrade to 24.1.1+. If you need the CVE number, let me know.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
