[ https://issues.apache.org/jira/browse/DIRKRB-760 ]
Albert Wang deleted comment on DIRKRB-760: ------------------------------------ was (Author: JIRAUSER293781): Hi [~coheigea], sorry to bother you again. I just want to share the info that I think kerby-kerb is not really impacted by the CVE-2022-0084. The [fix|https://github.com/xnio/xnio/pull/291/files] of the CVE-2022-0084 is in the file org.xnio.StreamConnection.java, and in the two methods notifyReadClosed and notifyWriteClosed. The kerby-kerb does not use the org.xnio.StreamConnection.java. So, it is not a real problem. Thank you. Regards, Albert > The dependency library org.jboss.xnio:xnio-api:jar:3.8.4.Final has a > vulnerability > ---------------------------------------------------------------------------------- > > Key: DIRKRB-760 > URL: https://issues.apache.org/jira/browse/DIRKRB-760 > Project: Directory Kerberos > Issue Type: Bug > Affects Versions: 2.0.2 > Reporter: Albert Wang > Assignee: Colm O hEigeartaigh > Priority: Major > Fix For: 2.0.3 > > > *org.apache.kerby:kerb-common:jar:2.0.2* has a dependency library > *org.jboss.xnio:xnio-api:jar:3.8.4.Final*. > *org.jboss.xnio:xnio-api:jar:3.8.4.Final* has a vulnerability CVE-2022-0084 > which is fixed in *3.8.8.Final*. > Can we upgrade the dependency to *3.8.8.Final*? Or, can we confirm that > *org.apache.kerby:kerb-common:jar:2.0.2* does not use the impact method of > *org.jboss.xnio:xnio-api:jar:3.8.4*? -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org