You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Hudson (JIRA)" <ji...@apache.org> on 2019/02/02 20:03:00 UTC

[jira] [Commented] (ZOOKEEPER-3262) Update dependencies flagged by OWASP report

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16759174#comment-16759174 ] 

Hudson commented on ZOOKEEPER-3262:
-----------------------------------

SUCCESS: Integrated in Jenkins build ZooKeeper-trunk #381 (See [https://builds.apache.org/job/ZooKeeper-trunk/381/])
ZOOKEEPER-3262: Update dependencies flagged by OWASP report (phunt: rev 97e51a41ae7b9e30d76d33b6d2d91c5ab15167f2)
* (edit) owaspSuppressions.xml
* (edit) pom.xml
* (edit) build.xml


> Update dependencies flagged by OWASP report
> -------------------------------------------
>
>                 Key: ZOOKEEPER-3262
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3262
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.6.0, 3.5.5, 3.4.14
>            Reporter: Enrico Olivelli
>            Assignee: Enrico Olivelli
>            Priority: Blocker
>              Labels: pull-request-available
>             Fix For: 3.6.0, 3.5.5, 3.4.14
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> Currently OWASP plugin is reporting these vulnerabilities:
> |[CVE-2018-14719|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14719]|CWE-502 Deserialization of Untrusted Data|High(7.5)|jackson-databind-2.9.5.jar|
> |[CVE-2018-14720|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14720]|CWE-611 Improper Restriction of XML External Entity Reference ('XXE')|High(7.5)|jackson-databind-2.9.5.jar|
> |[CVE-2018-14721|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14721]|CWE-918 Server-Side Request Forgery (SSRF)|High(7.5)|jackson-databind-2.9.5.jar|
> |[CVE-2018-19360|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19360]|CWE-502 Deserialization of Untrusted Data|High(7.5)|jackson-databind-2.9.5.jar|
> |[CVE-2018-19361|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19361]|CWE-502 Deserialization of Untrusted Data|High(7.5)|jackson-databind-2.9.5.jar|
> |[CVE-2018-19362|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19362]|CWE-502 Deserialization of Untrusted Data|High(7.5)|jackson-databind-2.9.5.jar|
> |[CVE-2017-7657|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7657]|CWE-190 Integer Overflow or Wraparound|High(7.5)|jetty-http-9.4.10.v20180503.jar   |
> |[CVE-2017-7658|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7658]|CWE-19 Data Processing Errors|High(7.5)|jetty-http-9.4.10.v20180503.jar   |
> |[CVE-2018-1000873|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000873]|CWE-20 Improper Input Validation|Medium(5.0)|jackson-databind-2.9.5.jar|
> |[CVE-2017-7656|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7656]|CWE-284 Improper Access Control|Medium(5.0)|jetty-http-9.4.10.v20180503.jar   |
> |[CVE-2018-12536|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12536]|CWE-200 Information Exposure|Medium(5.0)|jetty-http-9.4.10.v20180503.jar   |
> |[CVE-2018-12056|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12056]|CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)|Medium(5.0)|netty-all-4.1.29.Final.jar|
> We have to upgrade all of them or add suppressions
>  
> in the Maven build we also have;
> pom.xml: CVE-2018-8012, CVE-2016-5017



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)