You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kylin.apache.org by "PJ Fanning (Jira)" <ji...@apache.org> on 2022/02/07 12:06:00 UTC

[jira] [Created] (KYLIN-5159) there are several dependencies in main branch with CVEs

PJ Fanning created KYLIN-5159:
---------------------------------

             Summary: there are several dependencies in main branch with CVEs
                 Key: KYLIN-5159
                 URL: https://issues.apache.org/jira/browse/KYLIN-5159
             Project: Kylin
          Issue Type: Improvement
            Reporter: PJ Fanning


Some of the more readily addressed ones include:
 * upgrade to commons-compress 1.21 - see cves in [https://mvnrepository.com/artifact/org.apache.commons/commons-compress]
 * upgrade to h2 2.1.210 - see cves in [https://mvnrepository.com/artifact/com.h2database/h2]
 * upgrade to httpclient 4.5.13 - see cves in [https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient]
 * update to commons-io 2.7 (or 2.11.0 to get latest code) - see [https://github.com/advisories/GHSA-gwrp-pvrq-jmwv]
 * upgrade to xerces 2.12.2 - see cves in [https://mvnrepository.com/artifact/xerces/xercesImpl]
 * many others - but I may be looking at the wrong branch given the large number of vulnerable jars 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)