[
https://issues.apache.org/jira/browse/DIRKRB-760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17610796#comment-17610796
]
Albert Wang commented on DIRKRB-760:
------------------------------------
Hi [~coheigea], thank you for your reply. My company is using
org.apache.kerby:kerb-common:jar:2.0.2, and the CI/CD process complains about
the vulnerability CVE-2022-0084 in org.jboss.xnio:xnio-api:jar:3.8.4.
Since there is no plan for a 2.0.3 release yet, may I ask how kerb-common uses
xnio-api? Or do you think kerb-common is impacted by the CVE-2022-0084?
If not, I could add an exemption to our CI/CD process.
Thank you.
Regards,
Albert
> The dependency library org.jboss.xnio:xnio-api:jar:3.8.4.Final has a
> vulnerability
> ----------------------------------------------------------------------------------
>
> Key: DIRKRB-760
> URL: https://issues.apache.org/jira/browse/DIRKRB-760
> Project: Directory Kerberos
> Issue Type: Bug
> Affects Versions: 2.0.2
> Reporter: Albert Wang
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 2.0.3
>
>
> *org.apache.kerby:kerb-common:jar:2.0.2* has a dependency library
> *org.jboss.xnio:xnio-api:jar:3.8.4.Final*.
> *org.jboss.xnio:xnio-api:jar:3.8.4.Final* has a vulnerability CVE-2022-0084
> which is fixed in *3.8.8.Final*.
> Can we upgrade the dependency to *3.8.8.Final*? Or, can we confirm that
> *org.apache.kerby:kerb-common:jar:2.0.2* does not use the impact method of
> *org.jboss.xnio:xnio-api:jar:3.8.4*?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
