You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kylin.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/04/01 11:39:00 UTC
[jira] [Commented] (KYLIN-5159) there are several dependencies in main branch with CVEs
[ https://issues.apache.org/jira/browse/KYLIN-5159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17515878#comment-17515878 ]
ASF GitHub Bot commented on KYLIN-5159:
---------------------------------------
pjfanning closed pull request #1815:
URL: https://github.com/apache/kylin/pull/1815
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@kylin.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
> there are several dependencies in main branch with CVEs
> -------------------------------------------------------
>
> Key: KYLIN-5159
> URL: https://issues.apache.org/jira/browse/KYLIN-5159
> Project: Kylin
> Issue Type: Improvement
> Reporter: PJ Fanning
> Priority: Major
>
> Some of the more readily addressed ones include:
> * upgrade to commons-compress 1.21 - see cves in [https://mvnrepository.com/artifact/org.apache.commons/commons-compress]
> * upgrade to h2 2.1.210 - see cves in [https://mvnrepository.com/artifact/com.h2database/h2]
> * upgrade to httpclient 4.5.13 - see cves in [https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient]
> * update to commons-io 2.7 (or 2.11.0 to get latest code) - see [https://github.com/advisories/GHSA-gwrp-pvrq-jmwv]
> * upgrade to xerces 2.12.2 - see cves in [https://mvnrepository.com/artifact/xerces/xercesImpl]
> * many others - but I may be looking at the wrong branch given the large number of vulnerable jarsĀ
--
This message was sent by Atlassian Jira
(v8.20.1#820001)