You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@bookkeeper.apache.org by GitBox <gi...@apache.org> on 2020/03/01 15:28:50 UTC

[GitHub] [bookkeeper] CleWang opened a new issue #2276: Dependencies causes CVEs in your execution path

CleWang opened a new issue #2276: Dependencies causes CVEs in your execution path
URL: https://github.com/apache/bookkeeper/issues/2276
 
 
   I found you uses some dependencies with CVEs and the buggy methods of the CVEs are in the program execution path of your project. This makes your project insecure. I have suggested some version updates. Here is the detailed information:
   
   * **Vulnerable Dependency:** org.apache.hadoop : hadoop-common : 2.7.3
   
   * **Call Chain to Buggy Methods:**
   
     * **Some files in your project call the library method org.apache.hadoop.conf.Configuration.get(java.lang.String), which can reach the buggy method of [CVE-2017-15713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713).**
   
       * Files in your project: 
         stream/distributedlog/io/dlfs/src/main/java/org/apache/distributedlog/fs/DLFileSystem.java
       * One of the possible call chain:
   
       ```
       org.apache.hadoop.conf.Configuration.get(java.lang.String)
       org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
       ```
   
   * **Update suggestion:** version 3.2.1
     3.2.1 is a safe version without CVEs. From 2.7.3 to 3.2.1, 3 of the APIs (called by 9 times in your project) were modified.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [bookkeeper] fpj commented on issue #2276: Dependencies causes CVEs in your execution path

Posted by GitBox <gi...@apache.org>.

fpj commented on issue #2276: Dependencies causes CVEs in your execution path
URL: https://github.com/apache/bookkeeper/issues/2276#issuecomment-593132946
 
 
   Please check this out before reporting security issues:
   
   https://www.apache.org/security/
   
   In this particular case, the vulnerability is known as you are pointing to a CVE, but in general it is best to follow the established protocol and report to the security list.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services