You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ratis.apache.org by "Tsz Wo Nicholas Sze (JIRA)" <ji...@apache.org> on 2018/09/21 20:43:00 UTC
[jira] [Assigned] (RATIS-294) Fix ratis-hadoop CVEs
[ https://issues.apache.org/jira/browse/RATIS-294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tsz Wo Nicholas Sze reassigned RATIS-294:
-----------------------------------------
Assignee: Tsz Wo Nicholas Sze
> Fix ratis-hadoop CVEs
> ---------------------
>
> Key: RATIS-294
> URL: https://issues.apache.org/jira/browse/RATIS-294
> Project: Ratis
> Issue Type: Improvement
> Components: HadoopRPC
> Reporter: Tsz Wo Nicholas Sze
> Assignee: Tsz Wo Nicholas Sze
> Priority: Blocker
> Labels: ozone
> Attachments: r294_20180921.patch
>
>
> There are multiple CVEs found in ratis-hadoop.
> - CVE-2012-4449 | High org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
> - CVE-2016-5001 | Low org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
> - CVE-2017-3161 | Medium org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
> - CVE-2017-3162 | High org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
> It is very likely that the CVEs come from the Hadoop dependency. We should either update the Hadoop version or temporarily remove Hadoop dependency in order to fix the CVEs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)