You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@samza.apache.org by "Daniel Chen (Jira)" <ji...@apache.org> on 2021/10/01 21:17:00 UTC
[jira] [Resolved] (SAMZA-2683) Bump up Scalatra version to pull
latest dependencies
[ https://issues.apache.org/jira/browse/SAMZA-2683?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Chen resolved SAMZA-2683.
--------------------------------
Resolution: Fixed
closed in https://github.com/apache/samza/pull/1527
> Bump up Scalatra version to pull latest dependencies
> ----------------------------------------------------
>
> Key: SAMZA-2683
> URL: https://issues.apache.org/jira/browse/SAMZA-2683
> Project: Samza
> Issue Type: Improvement
> Affects Versions: 1.6
> Reporter: Daniel Chen
> Assignee: Daniel Chen
> Priority: Major
> Fix For: 1.7
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Scalatra 2.5.0 is pulling in outdated libraries, namely log4j:1.2.14 which possesses security concerns:
> "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. Users are advised to migrate to `org.apache.logging.log4j:log4j-core` remediation: No fix is known for this vulnerability"
> The latest Scalatra 2.7.1 version no longer depends on this dangerous library
--
This message was sent by Atlassian Jira
(v8.3.4#803005)