XuCongying created GIRAPH-1232: ---------------------------------- Summary: Some dependencies contain CVEs Key: GIRAPH-1232 URL: https://issues.apache.org/jira/browse/GIRAPH-1232 Project: Giraph Issue Type: Bug Reporter: XuCongying
Hi, I have noticed that some library CVEs may be related to your projects. To prevent potential risk it may cause, I suggest a library update. Please note the following details. Vulnerable Library Version: commons-collections : commons-collections : 3.2.1 CVE ID: [CVE-2015-6420](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6420) Import Path: giraph-hbase/pom.xml, giraph-dist/pom.xml...(The rest of the 14 paths is hidden.) Suggested Safe Versions: 20030418.083655, 20031027.000000, 20040102.233541, 20040616, 3.2.2 Vulnerable Library Version: org.apache.hadoop : hadoop-yarn-server-nodemanager : 2.5.1 CVE ID: [CVE-2016-6811](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811), [CVE-2014-3627](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3627), [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029) Import Path: giraph-block-app/pom.xml, giraph-rexster/giraph-kibble/pom.xml, giraph-rexster/pom.xml, giraph-rexster/giraph-rexster-io/pom.xml, giraph-block-app-8/pom.xml, pom.xml, giraph-gora/pom.xml, giraph-debugger/pom.xml Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1 Vulnerable Library Version: org.apache.hive : hive-exec : 0.11.0 CVE ID: [CVE-2014-0228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0228), [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314) Import Path: giraph-hcatalog/pom.xml Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2 Vulnerable Library Version: org.apache.thrift : libthrift : 0.9.0 CVE ID: [CVE-2018-1320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320) Import Path: giraph-hcatalog/pom.xml Suggested Safe Versions: 0.12.0, 0.13.0 Vulnerable Library Version: org.apache.zookeeper : zookeeper : 3.4.5 CVE ID: [CVE-2017-5637](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5637), [CVE-2018-8012](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012), [CVE-2019-0201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0201), [CVE-2014-0085](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0085) Import Path: giraph-core/pom.xml, giraph-rexster/giraph-rexster-io/pom.xml, giraph-examples/pom.xml, giraph-gora/pom.xml Suggested Safe Versions: 3.4.14, 3.5.5, 3.5.6, 3.5.7 Vulnerable Library Version: org.apache.hadoop : hadoop-yarn-common : 2.5.1 CVE ID: [CVE-2014-3627](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3627) Import Path: giraph-block-app/pom.xml, giraph-rexster/giraph-kibble/pom.xml, giraph-rexster/pom.xml, giraph-rexster/giraph-rexster-io/pom.xml, giraph-block-app-8/pom.xml, pom.xml, giraph-gora/pom.xml, giraph-debugger/pom.xml Suggested Safe Versions: 2.10.0, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 3.0.0, 3.0.0-alpha1, 3.0.0-alpha2, 3.0.0-alpha3, 3.0.0-alpha4, 3.0.0-beta1, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1 Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.5.1 CVE ID: [CVE-2016-6811](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811), [CVE-2017-15713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713), [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009) Import Path: giraph-block-app/pom.xml, giraph-rexster/giraph-kibble/pom.xml, giraph-rexster/pom.xml, giraph-rexster/giraph-rexster-io/pom.xml, giraph-block-app-8/pom.xml, pom.xml, giraph-gora/pom.xml, giraph-debugger/pom.xml Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1 Vulnerable Library Version: org.apache.hadoop : hadoop-mapreduce-client-core : 2.5.1 CVE ID: [CVE-2017-3166](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3166) Import Path: giraph-block-app/pom.xml, giraph-rexster/giraph-kibble/pom.xml, giraph-rexster/pom.xml, giraph-rexster/giraph-rexster-io/pom.xml, giraph-block-app-8/pom.xml, pom.xml, giraph-gora/pom.xml, giraph-debugger/pom.xml Suggested Safe Versions: 2.10.0, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 3.0.0-alpha4, 3.0.0-beta1, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1 Vulnerable Library Version: com.google.guava : guava : 21.0 CVE ID: [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237) Import Path: giraph-hbase/pom.xml, giraph-core/pom.xml, giraph-hcatalog/pom.xml, giraph-block-app/pom.xml, giraph-rexster/giraph-rexster-io/pom.xml, giraph-block-app-8/pom.xml, giraph-accumulo/pom.xml, giraph-examples/pom.xml, giraph-debugger/pom.xml Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre Vulnerable Library Version: commons-httpclient : commons-httpclient : 3.0.1 CVE ID: [CVE-2014-3577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577), [CVE-2012-5783](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783), [CVE-2012-6153](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153) Import Path: giraph-hbase/pom.xml, giraph-dist/pom.xml...(The rest of the 14 paths is hidden.) Suggested Safe Versions: 3.0alpha2 -- This message was sent by Atlassian Jira (v8.3.4#803005)