[ https://issues.apache.org/jira/browse/ARROW-1240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Darwin reopened ARROW-1240: -------------------------------- Sorry, fix was not correctly implemented, since logback is specified in multiple poms and only fixed in one. > security: upgrade logback to address CVE-2017-5929 > -------------------------------------------------- > > Key: ARROW-1240 > URL: https://issues.apache.org/jira/browse/ARROW-1240 > Project: Apache Arrow > Issue Type: Bug > Components: Java - Memory, Java - Vectors > Affects Versions: 0.4.1 > Reporter: Matt Darwin > Assignee: Matt Darwin > Fix For: 0.6.0 > > > logback versions before 1.2.0 are affected by "a rather severe serialization > vulnerability in SocketServer and ServerSocketReceiver". > We should upgrade logback from 1.0.13 to the latest version (currently 1.2.3) > in order to address this. > See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929 > and > https://logback.qos.ch/news.html -- This message was sent by Atlassian JIRA (v6.4.14#64029)