You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2020/02/20 02:39:32 UTC
[GitHub] [druid] ccaominh opened a new pull request #9379: Suppress
CVE-2020-8840 for htrace-core-4.0.1
ccaominh opened a new pull request #9379: Suppress CVE-2020-8840 for htrace-core-4.0.1
URL: https://github.com/apache/druid/pull/9379
### Description
CVE-2020-8840 was updated on 19 Feb 2020, which now gets flagged by the security vulnerability scan. Since the CVE is for jackson-databind, via htrace-core-4.0.1, it can be added to the existing list of security vulnerability suppressions for that dependency.
<hr>
This PR has:
- [x] been self-reviewed.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] ccaominh merged pull request #9379: Suppress CVE-2020-8840
for htrace-core-4.0.1
Posted by GitBox <gi...@apache.org>.
ccaominh merged pull request #9379: Suppress CVE-2020-8840 for htrace-core-4.0.1
URL: https://github.com/apache/druid/pull/9379
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] suneet-s commented on issue #9379: Suppress CVE-2020-8840
for htrace-core-4.0.1
Posted by GitBox <gi...@apache.org>.
suneet-s commented on issue #9379: Suppress CVE-2020-8840 for htrace-core-4.0.1
URL: https://github.com/apache/druid/pull/9379#issuecomment-588593937
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#03cb - This is a really good write up on the CVE.
It looks like even if we used a vulnerable version of jackson, it would not be possible to exploit the CVE. See the section `What is Required for a Jackson-based “gadget” Exploit?`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org