You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@carbondata.apache.org by "XuCongying (Jira)" <ji...@apache.org> on 2020/03/02 15:46:00 UTC
[jira] [Updated] (CARBONDATA-3729) Please avoid using libraries with CVEs

     [ https://issues.apache.org/jira/browse/CARBONDATA-3729?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

XuCongying updated CARBONDATA-3729:
-----------------------------------
    Attachment: apache-carbondata_CVE-report.md

> Please avoid using libraries with CVEs
> --------------------------------------
>
>                 Key: CARBONDATA-3729
>                 URL: https://issues.apache.org/jira/browse/CARBONDATA-3729
>             Project: CarbonData
>          Issue Type: Bug
>            Reporter: XuCongying
>            Priority: Major
>         Attachments: apache-carbondata_CVE-report.md
>
>
> Hi, I noticed that your project are using vulnerable libraries which are related to some CVEs. To prevent potential security risks it may cause, I suggest to update the library dependency. See below for more details:
>  
> Vulnerable Library Version: org.scala-lang : scala-compiler : 2.11.8
>   CVE ID: [CVE-2017-15288](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15288)
>   Import Path: integration/spark-common/pom.xml
>   Suggested Safe Versions: 2.11.12, 2.12.10, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.12.8, 2.12.9, 2.13.0, 2.13.0-M1, 2.13.0-M2, 2.13.0-M3, 2.13.0-M3-f73b161, 2.13.0-M4, 2.13.0-M4-pre-20d3c21, 2.13.0-M5, 2.13.0-M5-1775dba, 2.13.0-M5-5eef812, 2.13.0-M5-6e0cba7, 2.13.0-RC1, 2.13.0-RC2, 2.13.0-RC3, 2.13.1
>  Vulnerable Library Version: org.apache.lucene : lucene-queryparser : 6.3.0
>   CVE ID: [CVE-2017-12629](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12629)
>   Import Path: datamap/lucene/pom.xml
>   Suggested Safe Versions: 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.4.1
>  Vulnerable Library Version: org.apache.hive : hive-service : 1.2.1
>   CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
>   Import Path: integration/hive/pom.xml
>   Suggested Safe Versions: 1.2.2, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>  Vulnerable Library Version: com.google.guava : guava : 14.0.1
>   CVE ID: [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237)
>   Import Path: datamap/bloom/pom.xml
>   Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre
>  Vulnerable Library Version: org.apache.hive : hive-exec : 1.2.1
>   CVE ID: [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
>   Import Path: integration/hive/pom.xml
>   Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
>  Vulnerable Library Version: org.apache.spark : spark-core_2.11 : 2.3.4
>   CVE ID: [CVE-2017-7678](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7678), [CVE-2018-3826](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3826), [CVE-2018-11770](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11770)
>   Import Path: examples/spark2/pom.xml, integration/spark-common-test/pom.xml, integration/presto/pom.xml, integration/spark2/pom.xml, datamap/mv/core/pom.xml, datamap/mv/plan/pom.xml
>   Suggested Safe Versions: 2.4.5
>  Vulnerable Library Version: org.apache.spark : spark-core_2.11 : 2.4.4
>   CVE ID: [CVE-2017-7678](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7678)
>   Import Path: integration/spark2/pom.xml, datamap/mv/plan/pom.xml
>   Suggested Safe Versions: 2.4.5
>  Vulnerable Library Version: org.apache.lucene : lucene-core : 6.3.0
>   CVE ID: [CVE-2017-3163](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163)
>   Import Path: datamap/lucene/pom.xml
>   Suggested Safe Versions: 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 7.0.0, 7.0.1, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.4.1
>  Vulnerable Library Version: org.apache.hive : hive-jdbc : 1.2.1
>   CVE ID: [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083), [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521), [CVE-2018-1282](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1282)
>   Import Path: integration/hive/pom.xml
>   Suggested Safe Versions: 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>  Vulnerable Library Version: org.apache.thrift : libthrift : 0.9.3
>   CVE ID: [CVE-2018-1320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320)
>   Import Path: format/pom.xml
>   Suggested Safe Versions: 0.12.0, 0.13.0
>  Vulnerable Library Version: org.apache.hadoop : hadoop-hdfs : 2.7.2
>   CVE ID: [CVE-2018-11768](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11768)
>   Import Path: core/pom.xml, processing/pom.xml
>   Suggested Safe Versions: 2.10.0, 2.8.5, 2.9.2, 3.1.2, 3.1.3, 3.2.0, 3.2.1
>  Vulnerable Library Version: org.apache.zookeeper : zookeeper : 3.4.7
>   CVE ID: [CVE-2018-8012](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012), [CVE-2019-0201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0201), [CVE-2017-5637](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5637)
>   Import Path: core/pom.xml
>   Suggested Safe Versions: 3.4.14, 3.5.5, 3.5.6, 3.5.7
>  Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.7.5
>   CVE ID: [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
>   Import Path: integration/flink/pom.xml
>   Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
>  Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.7.2
>   CVE ID: [CVE-2016-5393](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5393), [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009), [CVE-2016-6811](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811), [CVE-2017-15718](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15718), [CVE-2016-3086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3086), [CVE-2017-15713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713), [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029)
>   Import Path: core/pom.xml, processing/pom.xml, common/pom.xml
>   Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
>  Vulnerable Library Version: org.apache.httpcomponents : httpclient : 4.3.4
>   CVE ID: [CVE-2014-3577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577), [CVE-2015-5262](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5262)
>   Import Path: examples/spark2/pom.xml, integration/hive/pom.xml, integration/spark2/pom.xml, store/sdk/pom.xml
>   Suggested Safe Versions: 4.3.6, 4.4, 4.4-alpha1, 4.4-beta1, 4.4.1, 4.5, 4.5.1, 4.5.10, 4.5.11, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8, 4.5.9
>  Vulnerable Library Version: com.fasterxml.jackson.core : jackson-databind : 2.6.5
>   CVE ID: [CVE-2017-17485](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485), [CVE-2020-8840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840), [CVE-2019-20330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330), [CVE-2019-12384](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384), [CVE-2019-14439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439), [CVE-2018-19362](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362), [CVE-2018-11307](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11307), [CVE-2018-14721](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721), [CVE-2018-14719](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14719), [CVE-2018-7489](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489), [CVE-2019-17531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531), [CVE-2019-12086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086), [CVE-2017-15095](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095), [CVE-2018-14718](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718), [CVE-2019-16943](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943), [CVE-2019-12814](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814), [CVE-2018-19361](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361), [CVE-2018-19360](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360), [CVE-2018-14720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14720), [CVE-2019-16942](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942), [CVE-2017-7525](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525)
>   Import Path: store/sdk/pom.xml
>   Suggested Safe Versions: 2.10.0, 2.10.1, 2.10.2, 2.9.10.3
>  Vulnerable Library Version: com.fasterxml.jackson.core : jackson-databind : 2.8.1
>   CVE ID: [CVE-2019-12814](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814), [CVE-2017-17485](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485), [CVE-2018-11307](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11307), [CVE-2018-7489](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489), [CVE-2018-19360](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360), [CVE-2019-14439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439), [CVE-2017-15095](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095), [CVE-2019-16943](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943), [CVE-2019-14379](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379), [CVE-2018-14720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14720), [CVE-2018-12023](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12023), [CVE-2017-7525](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525), [CVE-2020-8840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840), [CVE-2019-20330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330), [CVE-2019-12384](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384), [CVE-2019-12086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086), [CVE-2018-14721](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721), [CVE-2018-14719](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14719), [CVE-2019-17531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531), [CVE-2018-14718](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718), [CVE-2018-19362](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362), [CVE-2018-19361](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361), [CVE-2019-16942](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942)
>   Import Path: integration/presto/pom.xml
>   Suggested Safe Versions: 2.10.0, 2.10.1, 2.10.2, 2.9.10.3
>  Vulnerable Library Version: org.apache.solr : solr-core : 6.3.0
>   CVE ID: [CVE-2017-12629](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12629), [CVE-2018-8010](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8010), [CVE-2017-3163](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163), [CVE-2017-7660](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7660), [CVE-2017-9803](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9803), [CVE-2017-3164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3164), [CVE-2018-8026](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8026), [CVE-2019-0192](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0192)
>   Import Path: datamap/lucene/pom.xml
>   Suggested Safe Versions: 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.4.1



--
This message was sent by Atlassian Jira
(v8.3.4#803005)