You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2019/08/29 10:41:54 UTC
[GitHub] [incubator-druid] divaybansal opened a new issue #8432: Druid
Vulnerability Analysis
divaybansal opened a new issue #8432: Druid Vulnerability Analysis
URL: https://github.com/apache/incubator-druid/issues/8432
We did a vulnerability analysis on the latest version of Druid and found the below critical vulnerability in the dependent libraries bundled with Druid. Could you please update the version of these dependencies to the latest version?
CVE Package Version Severity Status
--- ------- ------- -------- ------
CVE-2018-14719 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.7
CVE-2017-7658 org.eclipse.jetty_jetty-io 9.4.10.v20180503 critical fixed in 9.4.11, 9.3.24
CVE-2017-7657 org.eclipse.jetty_jetty-io 9.4.10.v20180503 critical fixed in 9.4.11, 9.3.24
CVE-2018-7489 com.fasterxml.jackson.core_jackson-databind 2.2.3 critical fixed in 2.9.5, 2.8.11.1, 2.7.9.3
CVE-2018-14718 com.fasterxml.jackson.core_jackson-databind 2.2.3 critical fixed in 2.9.7
CVE-2017-5645 org.apache.logging.log4j_log4j-api 2.4 critical fixed in 2.8.2
CVE-2018-7489 com.fasterxml.jackson.core_jackson-databind 2.4.0 critical fixed in 2.9.5, 2.8.11.1, 2.7.9.3
CVE-2017-5929 ch.qos.logback_logback-core 1.1.2 critical fixed in 1.2.0
CVE-2016-3720 com.fasterxml.jackson.core_jackson-core 2.4.0 critical
CVE-2016-3720 com.fasterxml.jackson.core_jackson-core 2.2.3 critical
CVE-2018-14718 com.fasterxml.jackson.core_jackson-databind 2.4.0 critical fixed in 2.9.7
CVE-2016-3720 com.fasterxml.jackson.core_jackson-core 2.6.7 critical
CVE-2018-7489 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.5, 2.8.11.1, 2.7.9.3
CVE-2017-5645 org.apache.logging.log4j_log4j-api 2.5 critical fixed in 2.8.2
CVE-2018-14718 com.fasterxml.jackson.core_jackson-databind 2.4.6 critical fixed in 2.9.7
CVE-2018-19362 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.8
CVE-2018-7489 com.fasterxml.jackson.core_jackson-databind 2.4.6 critical fixed in 2.9.5, 2.8.11.1, 2.7.9.3
CVE-2018-19361 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.8
CVE-2018-19360 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.8
CVE-2017-7657 org.eclipse.jetty_jetty-io 9.2.5.v20141112 critical fixed in 9.4.11, 9.3.24
CVE-2017-7658 org.eclipse.jetty_jetty-io 9.2.5.v20141112 critical fixed in 9.4.11, 9.3.24
CVE-2018-14721 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.7
CVE-2016-3720 com.fasterxml.jackson.core_jackson-core 2.4.6 critical
CVE-2018-14720 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.7
CVE-2017-7525 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.8.9, 2.7.9.1, 2.6.7.1
CVE-2018-14718 com.fasterxml.jackson.core_jackson-databind 2.6.7 critical fixed in 2.9.7
CVE-2016-7051 com.fasterxml.jackson.core_jackson-core 2.4.6 high fixed in 2.8.4, 2.7.8
CVE-2017-9735 org.eclipse.jetty_jetty-io 9.2.5.v20141112 high
CVE-2017-7656 org.eclipse.jetty_jetty-io 9.2.5.v20141112 high fixed in 9.4.11, 9.3.24
CVE-2015-2080 org.eclipse.jetty_jetty-http 9.2.5.v20141112 high fixed in 9.2.9,9.2
CVE-2018-5968 com.fasterxml.jackson.core_jackson-databind 2.4.6 high
CVE-2018-5968 com.fasterxml.jackson.core_jackson-databind 2.6.7 high
CVE-2016-5017 org.apache.zookeeper_zookeeper 3.4.6 high fixed in 3.5.3, 3.4.9
CVE-2017-5637 org.apache.zookeeper_zookeeper 3.4.6 high
CVE-2018-8012 org.apache.zookeeper_zookeeper 3.4.6 high fixed in 3.4.10
CVE-2018-5968 com.fasterxml.jackson.core_jackson-databind 2.4.0 high
CVE-2016-7051 com.fasterxml.jackson.core_jackson-core 2.6.7 high fixed in 2.8.4, 2.7.8
CVE-2016-7051 com.fasterxml.jackson.core_jackson-core 2.4.0 high fixed in 2.8.4, 2.7.8
CVE-2016-7051 com.fasterxml.jackson.core_jackson-core 2.2.3 high fixed in 2.8.4, 2.7.8
CVE-2018-5968 com.fasterxml.jackson.core_jackson-databind 2.2.3 high
CVE-2017-7656 org.eclipse.jetty_jetty-io 9.4.10.v20180503 high fixed in 9.4.11, 9.3.24
CVE-2018-12545 org.eclipse.jetty_jetty-io 9.4.10.v20180503 high
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org