[ https://issues.apache.org/jira/browse/KYLIN-2879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Billy Liu resolved KYLIN-2879. ------------------------------ Resolution: Fixed Fix Version/s: v2.2.0 Commit at https://github.com/apache/kylin/commit/13293bad2ce503a35339a5c4ec5bc532684efb48 In this commit, Spring framework is upgraded to 4.3.10 Spring security framework is upgraded to 4.2.3 commons-email is upgraded to 1.5 commons-upload is upgraded to 1.3.3 All potential vulnerablies are resovled. > Upgrade Spring & Spring Security to fix potential vulnerability > --------------------------------------------------------------- > > Key: KYLIN-2879 > URL: https://issues.apache.org/jira/browse/KYLIN-2879 > Project: Kylin > Issue Type: Improvement > Reporter: Billy Liu > Assignee: Billy Liu > Priority: Critical > Fix For: v2.2.0 > > > After running against VersionEye, the system shows that Kylin has "14 known > security vulnerabilities. ". They are from commons-fileupload, commons-email, > xercesImpl, spring-webmvc, spring jdbc, spring aop, spring-context-support, > spring-test, spring-security-core, tomcat-catalina, spring-core libraries. > Upgrade to newer version will fix the vulnerabilities. > Following is the detail report: > commons-fileupload : 1.3.1 > 2016-3092 > Apache Commons Fileupload: Denial of Service > https://bugzilla.redhat.com/show_bug.cgi?id=1349475 > http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3c6223ece6-2b41-ef4f-22f9-d3481e492...@apache.org%3E > http://tomcat.apache.org/security.html > http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092 > Affected versions: <=1.3.1,1.3 && <=1.2.2,1.2 > Mute this security issue > CVE-2016-3092 > CVE-2016-3092 > https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759 > Affected versions: 1.3.1 > Mute this security issue > 2016-1000031 > Apache Commons FileUpload Deserialization Gadget > https://www.tenable.com/security/research/tra-2016-12 > https://issues.apache.org/jira/browse/FILEUPLOAD-279 > https://nvd.nist.gov/vuln/detail/CVE-2016-1000031 > Affected versions: <=1.3.2 > Mute this security issue > commons-email : 1.4 > 2017-9801 > SMTP header injection vulnerabilty > https://commons.apache.org/proper/commons-email/security-reports.html > https://nvd.nist.gov/vuln/detail/CVE-2017-9801 > Affected versions: <=1.4 > Mute this security issue > xercesImpl : 2.11.0 > 2013-4002 > Apache Xerces: XMLScanner resource exhaustion > https://bugzilla.redhat.com/CVE-2013-4002 > http://svn.apache.org/viewvc?view=revision&revision=1499506 > Affected versions: <=2.11.0 > Mute this security issue > spring-webmvc : 4.2.8.RELEASE > CVE-2016-9878 > CVE-2016-9878 > https://pivotal.io/security/cve-2016-9878 > Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, > 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, > 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, > 3.2.11, 3.2.10, 3.2.4, 3.2.17 > Mute this security issue > spring-jdbc : 4.2.8.RELEASE > CVE-2016-9878 > CVE-2016-9878 > https://pivotal.io/security/cve-2016-9878 > Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, > 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, > 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, > 3.2.11, 3.2.10, 3.2.4, 3.2.17 > Mute this security issue > spring-aop : 4.2.8.RELEASE > CVE-2016-9878 > CVE-2016-9878 > https://pivotal.io/security/cve-2016-9878 > Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, > 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, > 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, > 3.2.11, 3.2.10, 3.2.4, 3.2.17 > Mute this security issue > spring-context-support : 4.2.8.RELEASE > CVE-2016-9878 > CVE-2016-9878 > https://pivotal.io/security/cve-2016-9878 > Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, > 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, > 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, > 3.2.11, 3.2.10, 3.2.4, 3.2.17 > Mute this security issue > spring-test : 4.2.8.RELEASE > CVE-2016-9878 > CVE-2016-9878 > https://pivotal.io/security/cve-2016-9878 > Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, > 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, > 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, > 3.2.11, 3.2.10, 3.2.4, 3.2.17 > Mute this security issue > spring-security-core : 4.0.4.RELEASE > 2016-5007 > Spring Security / MVC Path Matching Inconsistency > https://pivotal.io/security/cve-2016-5007 > Affected versions: <=4.1.0.RELEASE > Mute this security issue > tomcat-catalina : 7.0.69 > 2016-3092 > Apache Commons Fileupload: Denial of Service > https://bugzilla.redhat.com/show_bug.cgi?id=1349475 > http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3c6223ece6-2b41-ef4f-22f9-d3481e492...@apache.org%3E > http://tomcat.apache.org/security.html > http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092 > Affected versions: <=9.0.0.M7,9 && <=8.5.2,8.5 && <=8.0.35,8.0 && <=7.0.69,7 -- This message was sent by Atlassian JIRA (v6.4.14#64029)