GitHub user robertdale opened a pull request:
https://github.com/apache/tinkerpop/pull/930
TINKERPOP-2032 bump jython-standalone 2.7.1
https://snyk.io/vuln/SNYK-JAVA-ORGPYTHON-31451
Overview
org.python:jython-standalone Affected versions of this package are
vulnerable to Arbitrary Code Execution by sending a serialized function to the
deserializer, which in turn will execute the code.
References
[CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000)
[Jython Bug Report](http://bugs.jython.org/issue2454)
[Fix Commit](https://hg.python.org/jython/rev/d06e29d100c0)
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/apache/tinkerpop TINKERPOP-2032
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/tinkerpop/pull/930.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #930
----
commit f70d108e0e9cace79565c658e6bac5c7e9f045ba
Author: Robert Dale <robdale@...>
Date: 2018-09-11T12:35:33Z
TINKERPOP-2032 bump jython-standalone 2.7.1
----
---
