You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ratis.apache.org by "Tsz Wo Nicholas Sze (JIRA)" <ji...@apache.org> on 2018/08/07 18:27:01 UTC

[jira] [Created] (RATIS-294) Fix ratis-hadoop CVEs

Tsz Wo Nicholas Sze created RATIS-294:
-----------------------------------------

             Summary: Fix ratis-hadoop CVEs
                 Key: RATIS-294
                 URL: https://issues.apache.org/jira/browse/RATIS-294
             Project: Ratis
          Issue Type: Improvement
          Components: HadoopRPC
            Reporter: Tsz Wo Nicholas Sze


There are multiple CVEs found in ratis-hadoop.
- CVE-2012-4449  |  High org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
- CVE-2016-5001  |  Low org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
- CVE-2017-3161  |  Medium org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT
- CVE-2017-3162  |  High org.apache.ratis:ratis-hadoop:0.3.0-SNAPSHOT

It is very likely that the CVEs come from the Hadoop dependency.  We should either update the Hadoop version or temporarily remove Hadoop dependency in order to fix the CVEs.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)