You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ratis.apache.org by "Tsz Wo Nicholas Sze (JIRA)" <ji...@apache.org> on 2018/09/21 20:43:00 UTC

[jira] [Assigned] (RATIS-294) Fix ratis-hadoop CVEs

     [ https://issues.apache.org/jira/browse/RATIS-294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tsz Wo Nicholas Sze reassigned RATIS-294:
-----------------------------------------

    Assignee: Tsz Wo Nicholas Sze

> Fix ratis-hadoop CVEs
> ---------------------
>
>                 Key: RATIS-294
>                 URL: https://issues.apache.org/jira/browse/RATIS-294
>             Project: Ratis
>          Issue Type: Improvement
>          Components: HadoopRPC
>            Reporter: Tsz Wo Nicholas Sze
>            Assignee: Tsz Wo Nicholas Sze
>            Priority: Blocker
>              Labels: ozone
>         Attachments: r294_20180921.patch
>
>
> There are multiple CVEs found in ratis-hadoop.
> - CVE-2012-4449  |  High org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
> - CVE-2016-5001  |  Low org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
> - CVE-2017-3161  |  Medium org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
> - CVE-2017-3162  |  High org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
> It is very likely that the CVEs come from the Hadoop dependency.  We should either update the Hadoop version or temporarily remove Hadoop dependency in order to fix the CVEs.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)