You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2021/08/09 09:03:19 UTC

[GitHub] [druid] abhishekagarwal87 opened a new pull request #11562: suppress CVE-2021-26291 on kafka-clients

abhishekagarwal87 opened a new pull request #11562:
URL: https://github.com/apache/druid/pull/11562


   The CVE details are here - https://nvd.nist.gov/vuln/detail/CVE-2021-26291. I am marking it suppressed since we are only using kafka-clients jar in druid. We use `maven-artifact` jar ourselves but it is only used for comparing versions


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] abhishekagarwal87 merged pull request #11562: suppress CVE-2021-26291 on kafka-clients

Posted by GitBox <gi...@apache.org>.

abhishekagarwal87 merged pull request #11562:
URL: https://github.com/apache/druid/pull/11562


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] jihoonson commented on pull request #11562: suppress CVE-2021-26291 on kafka-clients

Posted by GitBox <gi...@apache.org>.

jihoonson commented on pull request #11562:
URL: https://github.com/apache/druid/pull/11562#issuecomment-895391909


   CVE-2021-26291 seems about maven-artifact not kafka-clients, so I studied a bit whether we need to update our dependency as well. We are currently using maven-artifact 3.6 in the druid-processing module. This doesn't seem to need an immediate version upgrade to 3.8.1 because, AFAIT, the only thing we are using is `org.apache.maven.artifact.versioning.DefaultArtifactVersion` in `VersionComparator` for strings.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org