You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@phoenix.apache.org by "Jerry Chabot (JIRA)" <ji...@apache.org> on 2018/12/21 15:27:00 UTC
[jira] [Updated] (PHOENIX-5078) Phoenix depends on Guava 13.0.1
which has CVE-2018-10237
[ https://issues.apache.org/jira/browse/PHOENIX-5078?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jerry Chabot updated PHOENIX-5078:
----------------------------------
Summary: Phoenix depends on Guava 13.0.1 which has CVE-2018-10237 (was: Phoenix depends on Guava 13.0.0 which has CVE-2018-10237)
> Phoenix depends on Guava 13.0.1 which has CVE-2018-10237
> --------------------------------------------------------
>
> Key: PHOENIX-5078
> URL: https://issues.apache.org/jira/browse/PHOENIX-5078
> Project: Phoenix
> Issue Type: Bug
> Affects Versions: 4.14.1
> Reporter: Jerry Chabot
> Priority: Major
>
> Phoenix has a dependency on guava 13.0.1. This cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237 specifies a vulnerability in Guava 11.0 through 24.x. It is an unbounded memory allocation that allows remote attackers to conduct denial of service attacks. Does this apply to Phoenix?
> I want to upgrade our product dependency on Guava. But, doing so had caused problems with Phoenix in the past. Currently, our product's quava dependency has been stuck at Guava 15.0 to avoid Phoenix issues.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)