[
https://issues.apache.org/jira/browse/QPID-8485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17229392#comment-17229392
]
ASF subversion and git services commented on QPID-8485:
-------------------------------------------------------
Commit a30bc3fccd9c076a82645ea660052f8600607519 in qpid-broker-j's branch
refs/heads/master from Dedeepya T
[ https://gitbox.apache.org/repos/asf?p=qpid-broker-j.git;h=a30bc3f ]
QPID-8485: [Broker-J] Upgrade guava to version 30.0-jre
This closes #69
> Upgrade guava version to latest
> -------------------------------
>
> Key: QPID-8485
> URL: https://issues.apache.org/jira/browse/QPID-8485
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Reporter: Dedeepya
> Priority: Minor
> Fix For: qpid-java-broker-8.0.3
>
>
> Security vulnerabilities are reported with the guava version below 28.2-jre.
> This package are vulnerable to Information Disclosure. The file permissions
> on the file created by com.google.common.io.Files.createTempDir allows an
> attacker running a malicious program co-resident on the same machine can
> steal secrets stored in this directory. This is because by default on
> unix-like operating systems the /temp directory is shared between all users,
> so if the correct file permissions aren't set by the directory/file creator,
> the file becomes readable by all other users on that system.
> [https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415]
> The Qpid Broker does not utilize the impacted functionality. Thus, it is not
> vulnerable to the reported issue. Though, we need to upgrade the guava
> version in order to stop from being flagged by scanning tools
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
