You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tinkerpop.apache.org by "justinchuch (GitHub)" <gi...@apache.org> on 2019/09/20 12:09:27 UTC

[GitHub] [tinkerpop] justinchuch opened pull request #1196: Upgrade commons-compress to version 1.19 due to CVE-2018-11881

According to sourceclear:

https://www.sourceclear.com/vulnerability-database/security/denial-of-service-dos-/java/sid-7319

commons-compress is vulnerable to denial of service (DoS) attacks.

Although it looks like `hadoop-gremlin` does not use the library directly, but still may be worth upgrading.

Run `docker/build.sh -t -i` on my local, and the Reactor Summary reports `BUILD SUCCESS`.


[ Full content available at: https://github.com/apache/tinkerpop/pull/1196 ]
This message was relayed via gitbox.apache.org for dev@tinkerpop.apache.org

[GitHub] [tinkerpop] justinchuch commented on issue #1196: Upgrade commons-compress to version 1.19 due to CVE-2018-11881

Posted by "justinchuch (GitHub)" <gi...@apache.org>.

I am sorry, the CVE should apply to 3.3.x. Created PR #1198 and closing this one instead.

[ Full content available at: https://github.com/apache/tinkerpop/pull/1196 ]
This message was relayed via gitbox.apache.org for dev@tinkerpop.apache.org

[GitHub] [tinkerpop] spmallette commented on issue #1196: Upgrade commons-compress to version 1.19 due to CVE-2018-11881

Posted by "spmallette (GitHub)" <gi...@apache.org>.

thanks. was this only a problem for commons-compress on the 3.4.x line? does this CVE not apply to 3.3.x? if it applies to 3.3.x then this PR should target the `tp33` branch.

[ Full content available at: https://github.com/apache/tinkerpop/pull/1196 ]
This message was relayed via gitbox.apache.org for dev@tinkerpop.apache.org