You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@avro.apache.org by "Ismaël Mejía (JIRA)" <ji...@apache.org> on 2019/02/06 08:37:00 UTC

[jira] [Resolved] (AVRO-2218) upgrade libraries to work around security issues

     [ https://issues.apache.org/jira/browse/AVRO-2218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ismaël Mejía resolved AVRO-2218.
--------------------------------
       Resolution: Fixed
    Fix Version/s: 1.9.0

All dependency security issues mentioned in this ticket have been updated for version 1.9.0. Further dependency updates will be treated individually as done in AVRO-2314

> upgrade libraries to work around security issues
> ------------------------------------------------
>
>                 Key: AVRO-2218
>                 URL: https://issues.apache.org/jira/browse/AVRO-2218
>             Project: Apache Avro
>          Issue Type: Improvement
>          Components: java
>    Affects Versions: 1.8.2
>            Reporter: Matt Darwin
>            Priority: Major
>             Fix For: 1.9.0
>
>
> Avro has some very old dependencies, which potentially expose users to security vulnerabilities.
> ||Library||Current version||dated||latest version||dated||
> |Jackson|1.9.13|Jul '13|2.9.6|Jun '18|
> |paranamer|2.7|Aug '14|2.8|Aug '15|
> |snappy|1.1.1.3|Jul '14|1.1.7.2|May '18|
> |commons-compress|1.8.1|May '14|1.17|May '18|
> |Tukaani XZ|1.5|Mar '14|1.8|Jan '18|
>  
> Large corporations have strict rules about the use of third-party libraries.  For example, at Oracle we are not allowed to use any third-party code which has any dependencies older than 18 months or 5 versions.
> Please upgrade these dependencies to the latest versions.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)