[ https://issues.apache.org/jira/browse/DIRKRB-760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17610796#comment-17610796 ]
Albert Wang commented on DIRKRB-760: ------------------------------------ Hi [~coheigea], thank you for your reply. My company is using org.apache.kerby:kerb-common:jar:2.0.2, and the CI/CD process complains about the vulnerability CVE-2022-0084 in org.jboss.xnio:xnio-api:jar:3.8.4. Since there is no plan for a 2.0.3 release yet, may I ask how kerb-common uses xnio-api? Or do you think kerb-common is impacted by the CVE-2022-0084? If not, I could add an exemption to our CI/CD process. Thank you. Regards, Albert > The dependency library org.jboss.xnio:xnio-api:jar:3.8.4.Final has a > vulnerability > ---------------------------------------------------------------------------------- > > Key: DIRKRB-760 > URL: https://issues.apache.org/jira/browse/DIRKRB-760 > Project: Directory Kerberos > Issue Type: Bug > Affects Versions: 2.0.2 > Reporter: Albert Wang > Assignee: Colm O hEigeartaigh > Priority: Major > Fix For: 2.0.3 > > > *org.apache.kerby:kerb-common:jar:2.0.2* has a dependency library > *org.jboss.xnio:xnio-api:jar:3.8.4.Final*. > *org.jboss.xnio:xnio-api:jar:3.8.4.Final* has a vulnerability CVE-2022-0084 > which is fixed in *3.8.8.Final*. > Can we upgrade the dependency to *3.8.8.Final*? Or, can we confirm that > *org.apache.kerby:kerb-common:jar:2.0.2* does not use the impact method of > *org.jboss.xnio:xnio-api:jar:3.8.4*? -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org