[jira] [Commented] (FLUME-3253) JP Morgan Chase scan shows vulnerabilities for Splunk App using Apache Flume 1.8

Tue, 13 Nov 2018 14:10:13 -0800 


    [ 
https://issues.apache.org/jira/browse/FLUME-3253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16685820#comment-16685820
 ] 

ASF GitHub Bot commented on FLUME-3253:
---------------------------------------

GitHub user turcsanyip opened a pull request:

    https://github.com/apache/flume/pull/236

    FLUME-3253 Update jackson-databind dependecy to the latest version

    Reason: 2.8.9 has a vulnerability issue, fixed in 2.8.11+

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/turcsanyip/flume FLUME-3253

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/flume/pull/236.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #236
    
----
commit 22d363f9a74d08c5f97100e1c7219dd878a8c0b6
Author: turcsanyi <turcsanyi@...>
Date:   2018-11-13T22:08:23Z

    FLUME-3253 Update jackson-databind dependecy to the latest version
    
    Reason: 2.8.9 has a vulnerability issue, fixed in 2.8.11+

----


> JP Morgan Chase scan shows vulnerabilities for Splunk App using Apache Flume 
> 1.8
> --------------------------------------------------------------------------------
>
>                 Key: FLUME-3253
>                 URL: https://issues.apache.org/jira/browse/FLUME-3253
>             Project: Flume
>          Issue Type: Bug
>          Components: Build
>    Affects Versions: 1.8.0
>            Reporter: Steven Barger
>            Assignee: Peter Turcsanyi
>            Priority: Critical
>              Labels: patch
>             Fix For: 1.9.0
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> The Splunk app APM_Dynatrace ([https://splunkbase.splunk.com/app/1593/)] uses 
> Apache Flume 1.8 and has Jackson-Databind vulnerabilities that are detected 
> by our Black Duck scans.  This is a critical application for our Splunk 
> environment, and needs the updates for Apache Flume 1.8 and greater.  The 
> Jackson-Databind is updated in its versions 2.8.11+, but the Apache Flume is 
> only packaged with 2.8.9 version.  Please update the Apache Flume with the 
> latest Jackson-Databind update to resolve the vulnerability.  This needs 
> addressed as soon as possible in order for us to consider the Splunk app 
> APM_Dynatrace in our prod environment and it is a critical application.  This 
> has been escalated within JP Morgan Chase to our Dynatrace partners and rep 
> (Jason Freeman) and now requires Apache Flume to be updated.
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to