You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Andy LoPresto (Jira)" <ji...@apache.org> on 2020/02/10 16:33:00 UTC
[jira] [Commented] (NIFIREG-359) Update maven dependencies that
have CVEs
[ https://issues.apache.org/jira/browse/NIFIREG-359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17033733#comment-17033733 ]
Andy LoPresto commented on NIFIREG-359:
---------------------------------------
Thanks for reporting this. The codebase is continually scanned by members of the NiFi security team, and dependency vulnerability upgrades like this are undertaken on an ongoing cycle. These vulnerabilities will be addressed in the next release of NiFi Registry.
Please familiarize yourself with the [Apache Project Security for Committers|https://www.apache.org/security/committers.html] guidelines, which cover reporting processes for these types of issues. As always, [security@nifi.apache.org|mailto:security@nifi.apache.org] is the best point of contact for such conversations.
> Update maven dependencies that have CVEs
> ----------------------------------------
>
> Key: NIFIREG-359
> URL: https://issues.apache.org/jira/browse/NIFIREG-359
> Project: NiFi Registry
> Issue Type: Improvement
> Reporter: Alex Herman
> Priority: Major
>
> Running an AppScan vulnerability analysis on the 0.5.0 tag of NiFi Registry found the following issues with dependencies:
> * jackson-databind-2.9.9.1.jar - CVE-2019-16335, CVE-2019-14379, CVE-2019-16942, CVE-2019-17267, CVE-2019-16943, CVE-2019-17531, CVE-2019-14540, CVE-2019-14439
> * h2-1.4.197.jar - CVE-2018-10054, CVE-2018-14335
> * httpclient-4.5.2.jar (transitive dependency of org.eclipse.jgit) - https://github.com/apache/httpcomponents-client/commit/0554271750599756d4946c0d7ba43d04b1a7b220
> * hibernate-validator-6.0.17.Final.jar (transitive dependency of spring) - CVE-2019-10219
> * jackson-databind-2.9.8.jar (transitive dependency of aws-java-sdk-version) - CVE-2019-17267, CVE-2019-16943, CVE-2019-16942, CVE-2019-16335, CVE-2019-14540, CVE-2019-17531, CVE-2019-14379, CVE-2019-12814, CVE-2019-12086, CVE-2019-12384, CVE-2019-14439
> * netty-codec-http2-4.1.33.Final.jar (transitive dependency of aws-java-sdk-version) - CVE-2019-9518
> I'm not sure what the process is for addressing things like this, but I can put together a pull request, if that would be helpful.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)