[ https://issues.apache.org/jira/browse/QPID-8485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17229392#comment-17229392 ]
ASF subversion and git services commented on QPID-8485: ------------------------------------------------------- Commit a30bc3fccd9c076a82645ea660052f8600607519 in qpid-broker-j's branch refs/heads/master from Dedeepya T [ https://gitbox.apache.org/repos/asf?p=qpid-broker-j.git;h=a30bc3f ] QPID-8485: [Broker-J] Upgrade guava to version 30.0-jre This closes #69 > Upgrade guava version to latest > ------------------------------- > > Key: QPID-8485 > URL: https://issues.apache.org/jira/browse/QPID-8485 > Project: Qpid > Issue Type: Improvement > Components: Broker-J > Reporter: Dedeepya > Priority: Minor > Fix For: qpid-java-broker-8.0.3 > > > Security vulnerabilities are reported with the guava version below 28.2-jre. > This package are vulnerable to Information Disclosure. The file permissions > on the file created by com.google.common.io.Files.createTempDir allows an > attacker running a malicious program co-resident on the same machine can > steal secrets stored in this directory. This is because by default on > unix-like operating systems the /temp directory is shared between all users, > so if the correct file permissions aren't set by the directory/file creator, > the file becomes readable by all other users on that system. > [https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415] > The Qpid Broker does not utilize the impacted functionality. Thus, it is not > vulnerable to the reported issue. Though, we need to upgrade the guava > version in order to stop from being flagged by scanning tools -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org