You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2019/04/16 14:54:45 UTC
[GitHub] [pulsar] one70six opened a new issue #4057: Security
Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1
one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1
URL: https://github.com/apache/pulsar/issues/4057
## Issue
Black Duck, a product by Synopsys that scans for open source security threats, uncovered a few issues with dependencies for the Pulsar 2.3.1 binaries. Just posting the results here to make the community aware for future releases, I know this stuff is like a moving target.
### Apache Commons Compress - 1.15
- CVE-2018-11771
- CVE-2018-1324
### Apache Maven 2 - 3.0.4
- CVE-2013-0253
- CVE-2016-4469
- CVE-2016-5005
- CVE-2017-5657
### AsyncHttpClient - 1.6.5
- CVE-2013-7397
- CVE-2013-7398
### Guava: Google Core Libraries for Java - 21.0
- CVE-2018-10237
### Guava: Google Core Libraries for Java - 24.1-jre
- CVE-2018-10237
### jackson-databind - 2.8.11.3
- CVE-2018-1000873
- CVE-2018-14719
- CVE-2018-14720
- CVE-2018-14721
- CVE-2018-19360
- CVE-2018-19361
- CVE-2018-19362
### Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server - 9.4.11.v20180605
- CVE-2017-9735
- CVE-2018-12545
### jQuery - 2.2.3
- CVE-2011-4969
### jQuery UI - 1.11.4
- CVE-2016-7103
### Netty Project - 3.10.1.Final
- CVE-2015-2156
### Netty Project - 3.6.2.Final
- CVE-2015-2156
- CVE-2014-0193
It looks like upgrading to the latest versions of each of these dependencies might patch things, but I am not certain.
Thanks!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services