You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@zookeeper.apache.org by GitBox <gi...@apache.org> on 2022/02/11 13:09:52 UTC
[GitHub] [zookeeper] symat edited a comment on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative
symat edited a comment on pull request #1817:
URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036195421
OK, I double-checked all the CVE errors detected by the latest OWASP 6.5.3. All of these are false positive. Also I checked the maven dependency tree to make sure we don't have any old netty/jetty/commons-io jars on the claspath). I think we are good to go. But I recommend to still update to the latest OWASP version in our project and also suppress these CVEs below. (let's hope OWASP will be fixed later to produce less false positives)
- CVE-2021-43797 - fixed in netty 4.1.71 (we use 4.1.73)
- CVE-2019-16869 - fixed in netty 4.1.42 (we use 4.1.73)
- CVE-2015-2156 - fixed in netty 4.1.0 (we use 4.1.73)
- CVE-2021-37136 - fixed in netty 4.1.68 (we use 4.1.73)
- CVE-2014-3488 - fixed after netty 3.9.1 (we use 4.1.73)
- CVE-2021-37137 - fixed in netty 4.1.68 (we use 4.1.73)
- CVE-2019-20445 - fixed in netty 4.1.44 (we use 4.1.73)
- CVE-2019-20444 - fixed in netty 4.1.44 (we use 4.1.73)
- CVE-2021-21295 - fixed in netty 4.1.60 (we use 4.1.73)
- CVE-2021-21409 - fixed in netty 4.1.61 (we use 4.1.73)
- CVE-2021-21290 - fixed in netty 4.1.59 (we use 4.1.73)
- CVE-2021-29425 - fixed in commons-io 2.7 (we use 2.11)
- CVE-2021-28164 - fixed in jetty 9.4.39 (we use 9.4.43)
- CVE-2021-34429 - fixed in jetty 9.4.43 (we use 9.4.43)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org