Jerry Chabot created PHOENIX-5078:
-------------------------------------
Summary: Phoenix depends on Guava 13.0.0 which has CVE-2018-10237
Key: PHOENIX-5078
URL: https://issues.apache.org/jira/browse/PHOENIX-5078
Project: Phoenix
Issue Type: Bug
Affects Versions: 4.14.1
Reporter: Jerry Chabot
Phoenix has a dependency on guava 13.0.1. This
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237 specifies a vulnerability
in Guava 11.0 through 24.x. It is an unbounded memory allocation that allows
remote attackers to conduct denial of service attacks. Does this apply to
Phoenix?
I want to upgrade our product dependency on Guava. But, doing so had caused
problems with Phoenix in the past. Currently, our product's quava dependency
has been stuck at Guava 15.0 to avoid Phoenix issues.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
