You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kylin.apache.org by "Shao Feng Shi (Jira)" <ji...@apache.org> on 2020/03/01 14:36:00 UTC
[jira] [Updated] (KYLIN-4394) CVEs in the library dependencies
[ https://issues.apache.org/jira/browse/KYLIN-4394?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shao Feng Shi updated KYLIN-4394:
---------------------------------
Component/s: Security
Thanks for the reporting; We will check it.
> CVEs in the library dependencies
> --------------------------------
>
> Key: KYLIN-4394
> URL: https://issues.apache.org/jira/browse/KYLIN-4394
> Project: Kylin
> Issue Type: Bug
> Components: Security
> Reporter: XuCongying
> Priority: Major
>
> Hi, I have noticed that some library CVEs may be related to your projects. To prevent potential risk it may cause, I suggest a library update. See below for more details:
>
> Vulnerable Library Version: org.apache.hive.hcatalog : hive-hcatalog-streaming : 1.0.0
> CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
> Import Path: flume-ng-sinks/flume-hive-sink/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>
> Vulnerable Library Version: com.google.guava : guava : 18.0
> CVE ID: [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237)
> Import Path: flume-ng-sinks/flume-http-sink/pom.xml
> Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre
>
> Vulnerable Library Version: com.google.guava : guava : 11.0.2
> CVE ID: [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237)
> Import Path: flume-ng-auth/pom.xml, flume-ng-core/pom.xml...(The rest of the 11 paths is hidden.)
> Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre
>
> Vulnerable Library Version: org.apache.hive : hive-exec : 1.0.0
> CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
> Import Path: flume-ng-sinks/flume-dataset-sink/pom.xml
> Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
>
> Vulnerable Library Version: org.eclipse.jetty : jetty-util : 9.4.6.v20170531
> CVE ID: [CVE-2017-9735](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9735), [CVE-2019-10246](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246), [CVE-2019-10241](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241), [CVE-2018-12536](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536)
> Import Path: flume-ng-core/pom.xml
> Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.21.v20190926, 9.4.22.v20191022, 9.4.23.v20191118, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117
> Vulnerable Library Version: org.apache.kafka : kafka_2.11 : 2.0.1
> CVE ID: [CVE-2019-17196](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17196)
> Import Path: flume-ng-sources/flume-kafka-source/pom.xml, flume-ng-sources/flume-kafka-source/pom.xml, flume-ng-channels/flume-kafka-channel/pom.xml, flume-shared/flume-shared-kafka-test/pom.xml, flume-ng-sinks/flume-ng-kafka-sink/pom.xml
> Suggested Safe Versions: 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0
> Vulnerable Library Version: org.apache.hadoop : hadoop-hdfs : 2.9.0
> CVE ID: [CVE-2018-11768](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11768)
> Import Path: flume-ng-sinks/flume-hdfs-sink/pom.xml
> Suggested Safe Versions: 2.10.0, 2.9.2, 3.1.2, 3.1.3, 3.2.0, 3.2.1
> Vulnerable Library Version: org.eclipse.jetty : jetty-server : 9.4.6.v20170531
> CVE ID: [CVE-2019-10247](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247), [CVE-2017-7658](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658), [CVE-2017-7656](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656), [CVE-2017-7657](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657), [CVE-2018-12538](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538), [CVE-2018-12536](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536)
> Import Path: flume-ng-core/pom.xml
> Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117
> Vulnerable Library Version: org.apache.hive : hive-cli : 1.0.0
> CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
> Import Path: flume-ng-sinks/flume-hive-sink/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
> Vulnerable Library Version: org.apache.zookeeper : zookeeper : 3.4.5
> CVE ID: [CVE-2017-5637](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5637), [CVE-2018-8012](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012), [CVE-2019-0201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0201), [CVE-2014-0085](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0085)
> Import Path: flume-ng-sources/flume-kafka-source/pom.xml, flume-ng-sinks/flume-ng-hbase-sink/pom.xml, flume-ng-sinks/flume-ng-hbase2-sink/pom.xml
> Suggested Safe Versions: 3.4.14, 3.5.5, 3.5.6, 3.5.7
> Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.9.0
> CVE ID: [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
> Import Path: flume-ng-auth/pom.xml, flume-ng-configfilters/flume-ng-hadoop-credential-store-config-filter/pom.xml, flume-ng-tests/pom.xml, flume-ng-sinks/flume-ng-hbase-sink/pom.xml, flume-ng-sinks/flume-dataset-sink/pom.xml, flume-ng-sinks/flume-hdfs-sink/pom.xml, flume-ng-sinks/flume-ng-kudu-sink/pom.xml, flume-ng-sinks/flume-hive-sink/pom.xml, flume-ng-sinks/flume-ng-hbase2-sink/pom.xml
> Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
> Vulnerable Library Version: org.apache.mina : mina-core : 2.0.4
> CVE ID: [CVE-2019-0231](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0231)
> Import Path: flume-ng-core/pom.xml
> Suggested Safe Versions: 2.0.21, 2.1.2, 2.1.3, 3.0.0-M1, 3.0.0-M2
> Vulnerable Library Version: org.apache.hbase : hbase-client : 1.0.0
> CVE ID: [CVE-2015-1836](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1836)
> Import Path: flume-ng-sinks/flume-ng-hbase-sink/pom.xml, flume-ng-sinks/flume-ng-hbase-sink/pom.xml, flume-ng-sinks/flume-ng-hbase2-sink/pom.xml
> Suggested Safe Versions: 1.0.1.1, 1.0.2, 1.0.3, 1.1.0.1, 1.1.1, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.2.0, 1.2.1, 1.2.10, 1.2.11, 1.2.12, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.6.1, 1.2.7, 1.2.8, 1.2.9, 1.3.0, 1.3.1, 1.3.2, 1.3.2.1, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.10, 1.4.11, 1.4.12, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.5.0, 2.0.0, 2.0.0-alpha-1, 2.0.0-alpha2, 2.0.0-alpha3, 2.0.0-alpha4, 2.0.0-beta-1, 2.0.0-beta-2, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3
> Vulnerable Library Version: org.apache.hive.hcatalog : hive-hcatalog-core : 1.0.0
> CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
> Import Path: flume-ng-sinks/flume-hive-sink/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
> Vulnerable Library Version: org.elasticsearch : elasticsearch : 0.90.1
> CVE ID: [CVE-2015-5531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5531), [CVE-2014-3120](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120), [CVE-2015-1427](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1427), [CVE-2015-3337](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3337), [CVE-2014-6439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6439)
> Import Path: flume-ng-sinks/flume-ng-elasticsearch-sink/pom.xml
> Suggested Safe Versions: 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 2.0.0, 2.0.0-beta1, 2.0.0-beta2, 2.0.0-rc1, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 6.8.4, 6.8.5, 6.8.6, 7.4.0, 7.4.1, 7.4.2, 7.5.0, 7.5.1, 7.5.2, 7.6.0
> Vulnerable Library Version: org.apache.hive : hive-metastore : 1.0.0
> CVE ID: [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
> Import Path: flume-ng-sinks/flume-dataset-sink/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
> Vulnerable Library Version: xerces : xercesImpl : 2.9.1
> CVE ID: [CVE-2012-0881](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881), [CVE-2013-4002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002)
> Import Path: flume-ng-sinks/flume-hive-sink/pom.xml
> Suggested Safe Versions: 2.12.0
--
This message was sent by Atlassian Jira
(v8.3.4#803005)