You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avro.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/11/12 16:14:01 UTC

[jira] [Commented] (AVRO-2217) Vulnerabilities in avro bundled packages

    [ https://issues.apache.org/jira/browse/AVRO-2217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16684012#comment-16684012 ] 

ASF GitHub Bot commented on AVRO-2217:
--------------------------------------

Fokko opened a new pull request #373: AVRO-2217 Bump Guava to patch security issues
URL: https://github.com/apache/avro/pull/373
 
 
   Commons and Jackson are already upgraded.
   
   https://issues.apache.org/jira/projects/AVRO/issues/AVRO-2217

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Vulnerabilities in avro bundled packages
> ----------------------------------------
>
>                 Key: AVRO-2217
>                 URL: https://issues.apache.org/jira/browse/AVRO-2217
>             Project: Apache Avro
>          Issue Type: Bug
>          Components: java
>    Affects Versions: 1.8.2
>            Reporter: Prasanth Pallamreddy
>            Priority: Critical
>
> The following vulnerabilities exist in the packages bundled by Avro. These packages need to be upgraded to the latest versions. Although a few of these vulnerabilities were raised a couple of years ago in AVRO-1126 and an attempt to address the backwards compatibility issue in AVRO-1605 there does not appear to be a resolution. If there is no resolution on these issues, we may be forced to fork based on [this PR|https://github.com/apache/avro/pull/87]. 
>  
> org.codehaus.jackson:jackson-mapper-asl:1.9.13 which is known to have these critical / high vulns:
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-17485]
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-5968]
> org.codehaus.jackson:jackson-core-asl:1.9.13 which has this high vulnerability:
>   - [https://nvd.nist.gov/vuln/detail/CVE-2016-7051]
> org.apache.commons:commons-compress:1.8.1 has a DOS vulnerability:
>   - [https://nvd.nist.gov/vuln/detail/CVE-2018-11771]
>  com.google.guava:guava:11.0.2
>   -[https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)