You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2020/01/31 20:28:25 UTC
[GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix /
suppress netty CVEs CVE-2019-20445 and CVE-2019-20444
ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444
URL: https://github.com/apache/druid/pull/9300#discussion_r373671333
##########
File path: owasp-dependency-check-suppressions.xml
##########
@@ -148,6 +148,22 @@
<packageUrl regex="true">^pkg:maven/io\.netty/netty@.*$</packageUrl>
<cve>CVE-2019-16869</cve>
</suppress>
+ <suppress>
+ <!-- TODO: Fix by updating org.apache.druid.java.util.http.client.NettyHttpClient to use netty 4 -->
+ <notes><![CDATA[
+ file name: netty-3.10.6.Final.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/io\.netty/netty@.*$</packageUrl>
+ <cve>CVE-2019-20445</cve>
Review comment:
The new CVEs can be added after line 149 instead to simplify the XML
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org