You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avro.apache.org by "Prasanth Pallamreddy (JIRA)" <ji...@apache.org> on 2018/08/22 17:33:00 UTC
[jira] [Created] (AVRO-2217) Vulnerabilities in avro bundled
packages
Prasanth Pallamreddy created AVRO-2217:
------------------------------------------
Summary: Vulnerabilities in avro bundled packages
Key: AVRO-2217
URL: https://issues.apache.org/jira/browse/AVRO-2217
Project: Avro
Issue Type: Bug
Components: java
Affects Versions: 1.8.2
Reporter: Prasanth Pallamreddy
The following vulnerabilities exist in the packages bundled by Avro. These packages need to be upgraded to the latest versions. Although a few of these vulnerabilities were raised a couple of years ago in AVRO-1126 and an attempt to address the backwards compatibility issue in AVRO-1605 there does not appear to be a resolution. If there is no resolution on these issues, we may be forced to fork based on [this PR|https://github.com/apache/avro/pull/87].
org.codehaus.jackson:jackson-mapper-asl:1.9.13 which is known to have these critical / high vulns:
[https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
[https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
[https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
[https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
[https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
org.codehaus.jackson:jackson-core-asl:1.9.13 which has this high vulnerability:
- [https://nvd.nist.gov/vuln/detail/CVE-2016-7051]
org.apache.commons:commons-compress:1.8.1 has a DOS vulnerability:
- [https://nvd.nist.gov/vuln/detail/CVE-2018-11771]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)