[ https://issues.apache.org/jira/browse/DIRKRB-760 ]
Albert Wang deleted comment on DIRKRB-760:
------------------------------------
was (Author: JIRAUSER293781):
Hi [~coheigea], sorry to bother you again. I just want to share the info that I
think kerby-kerb is not really impacted by the CVE-2022-0084.
The [fix|https://github.com/xnio/xnio/pull/291/files] of the CVE-2022-0084 is
in the file org.xnio.StreamConnection.java, and in the two methods
notifyReadClosed and notifyWriteClosed.
The kerby-kerb does not use the org.xnio.StreamConnection.java.
So, it is not a real problem.
Thank you.
Regards,
Albert
> The dependency library org.jboss.xnio:xnio-api:jar:3.8.4.Final has a
> vulnerability
> ----------------------------------------------------------------------------------
>
> Key: DIRKRB-760
> URL: https://issues.apache.org/jira/browse/DIRKRB-760
> Project: Directory Kerberos
> Issue Type: Bug
> Affects Versions: 2.0.2
> Reporter: Albert Wang
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 2.0.3
>
>
> *org.apache.kerby:kerb-common:jar:2.0.2* has a dependency library
> *org.jboss.xnio:xnio-api:jar:3.8.4.Final*.
> *org.jboss.xnio:xnio-api:jar:3.8.4.Final* has a vulnerability CVE-2022-0084
> which is fixed in *3.8.8.Final*.
> Can we upgrade the dependency to *3.8.8.Final*? Or, can we confirm that
> *org.apache.kerby:kerb-common:jar:2.0.2* does not use the impact method of
> *org.jboss.xnio:xnio-api:jar:3.8.4*?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
