[jira] [Commented] (SLING-11124) Update Guava Dependency for CVE CVE-2018-10237 and CVE-2020-8908
[ https://issues.apache.org/jira/browse/SLING-11124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17488087#comment-17488087 ] Andrei Dulvac commented on SLING-11124: --- bq. I prefer to rather remove that guava dependency alltogether That actually makes sense in this particular case, I agree > Update Guava Dependency for CVE CVE-2018-10237 and CVE-2020-8908 > > > Key: SLING-11124 > URL: https://issues.apache.org/jira/browse/SLING-11124 > Project: Sling > Issue Type: Task > Components: Apache Sling Testing Clients >Affects Versions: Apache Sling Testing Clients 3.0.8 >Reporter: Andrei Tuicu >Assignee: Andrei Dulvac >Priority: Major > Fix For: Apache Sling Testing Clients 3.0.8 > > Time Spent: 40m > Remaining Estimate: 0h > > Sling testing clients are using com.google.guava guava 14.0.1 which is > vulnerable to CVE-2018-10237(MEDIUM) [1] and CVE-2020-8908(LOW) [2]. > Mitigation: update to latest guava 31.0.1-android > [1] https://www.cvedetails.com/cve/CVE-2018-10237/ > [2] https://www.cvedetails.com/cve/CVE-2020-8908/ -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (SLING-11124) Update Guava Dependency for CVE CVE-2018-10237 and CVE-2020-8908
[ https://issues.apache.org/jira/browse/SLING-11124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17488021#comment-17488021 ] Carsten Ziegeler commented on SLING-11124: -- [~andrei.dulvac] The dependencies are not embedded - and there is only a single usage of guava in the code: two minor string util methods from Strings class . I prefer to rather remove that guava dependency alltogether to avoid any trouble as [~enorman] points out > Update Guava Dependency for CVE CVE-2018-10237 and CVE-2020-8908 > > > Key: SLING-11124 > URL: https://issues.apache.org/jira/browse/SLING-11124 > Project: Sling > Issue Type: Task > Components: Apache Sling Testing Clients >Affects Versions: Apache Sling Testing Clients 3.0.8 >Reporter: Andrei Tuicu >Assignee: Andrei Dulvac >Priority: Major > Fix For: Apache Sling Testing Clients 3.0.8 > > Time Spent: 40m > Remaining Estimate: 0h > > Sling testing clients are using com.google.guava guava 14.0.1 which is > vulnerable to CVE-2018-10237(MEDIUM) [1] and CVE-2020-8908(LOW) [2]. > Mitigation: update to latest guava 31.0.1-android > [1] https://www.cvedetails.com/cve/CVE-2018-10237/ > [2] https://www.cvedetails.com/cve/CVE-2020-8908/ -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (SLING-11124) Update Guava Dependency for CVE CVE-2018-10237 and CVE-2020-8908
[ https://issues.apache.org/jira/browse/SLING-11124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487995#comment-17487995 ] Andrei Dulvac commented on SLING-11124: --- [~enorman], Thanks for pointing that out. I haven't tested it either with oak, but the reality is this is almost exclusively (I don't know of a use-case where it isn't) used as a client-side library in automated tests, even though we package it as an osgi bundle. Also, I think that shouldn't matter anyway, as dependencies in the testing clients bundle are embedded. > Update Guava Dependency for CVE CVE-2018-10237 and CVE-2020-8908 > > > Key: SLING-11124 > URL: https://issues.apache.org/jira/browse/SLING-11124 > Project: Sling > Issue Type: Task > Components: Apache Sling Testing Clients >Affects Versions: Apache Sling Testing Clients 3.0.8 >Reporter: Andrei Tuicu >Assignee: Andrei Dulvac >Priority: Major > Fix For: Apache Sling Testing Clients 3.0.8 > > Time Spent: 40m > Remaining Estimate: 0h > > Sling testing clients are using com.google.guava guava 14.0.1 which is > vulnerable to CVE-2018-10237(MEDIUM) [1] and CVE-2020-8908(LOW) [2]. > Mitigation: update to latest guava 31.0.1-android > [1] https://www.cvedetails.com/cve/CVE-2018-10237/ > [2] https://www.cvedetails.com/cve/CVE-2020-8908/ -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (SLING-11124) Update Guava Dependency for CVE CVE-2018-10237 and CVE-2020-8908
[ https://issues.apache.org/jira/browse/SLING-11124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487218#comment-17487218 ] Eric Norman commented on SLING-11124: - [~andrei.dulvac] I haven't checked this, but do you anticipate any conflicts with OAK which I believe is still stuck on guava version 15 (see OAK-7182)? For example, if a project depends on both oak and o.a.sling.testing.clients is it going to have troubles? > Update Guava Dependency for CVE CVE-2018-10237 and CVE-2020-8908 > > > Key: SLING-11124 > URL: https://issues.apache.org/jira/browse/SLING-11124 > Project: Sling > Issue Type: Task > Components: Apache Sling Testing Clients >Affects Versions: Apache Sling Testing Clients 3.0.8 >Reporter: Andrei Tuicu >Assignee: Andrei Dulvac >Priority: Major > Fix For: Apache Sling Testing Clients 3.0.8 > > Time Spent: 40m > Remaining Estimate: 0h > > Sling testing clients are using com.google.guava guava 14.0.1 which is > vulnerable to CVE-2018-10237(MEDIUM) [1] and CVE-2020-8908(LOW) [2]. > Mitigation: update to latest guava 31.0.1-android > [1] https://www.cvedetails.com/cve/CVE-2018-10237/ > [2] https://www.cvedetails.com/cve/CVE-2020-8908/ -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (SLING-11124) Update Guava Dependency for CVE CVE-2018-10237 and CVE-2020-8908
[ https://issues.apache.org/jira/browse/SLING-11124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487166#comment-17487166 ] Andrei Dulvac commented on SLING-11124: --- Merged in https://github.com/apache/sling-org-apache-sling-testing-clients/pull/25 > Update Guava Dependency for CVE CVE-2018-10237 and CVE-2020-8908 > > > Key: SLING-11124 > URL: https://issues.apache.org/jira/browse/SLING-11124 > Project: Sling > Issue Type: Task > Components: Apache Sling Testing Clients >Affects Versions: Apache Sling Testing Clients 3.0.6 >Reporter: Andrei Tuicu >Assignee: Andrei Dulvac >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Sling testing clients are using com.google.guava guava 14.0.1 which is > vulnerable to CVE-2018-10237(MEDIUM) [1] and CVE-2020-8908(LOW) [2]. > Mitigation: update to latest guava 31.0.1-android > [1] https://www.cvedetails.com/cve/CVE-2018-10237/ > [2] https://www.cvedetails.com/cve/CVE-2020-8908/ -- This message was sent by Atlassian Jira (v8.20.1#820001)