[
https://issues.apache.org/jira/browse/QPID-8485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17228503#comment-17228503
]
ASF GitHub Bot commented on QPID-8485:
--------------------------------------
Dedeepya-T opened a new pull request #69:
URL: https://github.com/apache/qpid-broker-j/pull/69
Upgrade guava version to 30.0-jre
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Upgrade guava version to latest
> -------------------------------
>
> Key: QPID-8485
> URL: https://issues.apache.org/jira/browse/QPID-8485
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Affects Versions: qpid-java-broker-8.0.2, qpid-java-broker-7.1.10
> Reporter: Dedeepya
> Priority: Minor
> Fix For: qpid-java-broker-8.0.3
>
>
> Security vulnerabilities are reported with the guava version below 28.2-jre.
> This package are vulnerable to Information Disclosure. The file permissions
> on the file created by com.google.common.io.Files.createTempDir allows an
> attacker running a malicious program co-resident on the same machine can
> steal secrets stored in this directory. This is because by default on
> unix-like operating systems the /temp directory is shared between all users,
> so if the correct file permissions aren't set by the directory/file creator,
> the file becomes readable by all other users on that system.
> [https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415]
> So upgrade the guava version to the version 30.0-jre
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
