git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerabilities in calcite-spark module


Thanks for noting this. Agreed with Francis that we should fix before the
release if possible. Hopefully, it's as simple as upgrading the
dependencies and running tests to ensure no breaking changes have been
introduced.
--
Michael Mior
mmior@xxxxxxxxxx



Le lun. 25 juin 2018 à 06:20, Volodymyr Vysotskyi <volodymyr@xxxxxxxxxx> a
écrit :

> Hi all,
>
> I found that a check for vulnerabilities among dependencies fails
> for calcite-spark module.
> The same problem is observed for 1.16 version.
>
> Should we block the release until this issue is fixed, or fix it after the
> release in Calcite 1.18?
>
> Output for "mvn install -Ppedantic -DskipTests=true":
> One or more dependencies were identified with known vulnerabilities in
> Calcite Spark:
>
> jackson-databind-2.9.4.jar
> (com.fasterxml.jackson.core:jackson-databind:2.9.4,
> cpe:/a:fasterxml:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson:2.9.4) :
> CVE-2018-7489
> protobuf-java-3.3.0.jar (com.google.protobuf:protobuf-java:3.3.0,
> cpe:/a:google:protobuf:3.3.0) : CVE-2015-5237
> commons-beanutils-core-1.8.0.jar
> (commons-beanutils:commons-beanutils-core:1.8.0,
> cpe:/a:apache:commons_beanutils:1.8.0) : CVE-2014-0114
> commons-beanutils-1.7.0.jar (commons-beanutils:commons-beanutils:1.7.0,
> cpe:/a:apache:commons_beanutils:1.7.0) : CVE-2014-0114
> commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1,
> cpe:/a:apache:commons-httpclient:3.1, cpe:/a:apache:httpclient:3.1) :
> CVE-2015-5262, CVE-2014-3577
> javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2,
> javax.annotation:javax.annotation-api:1.2) : CVE-2015-2808, CVE-2013-2566
> mail-1.4.7.jar (cpe:/a:mail_project:mail:1.4.7, javax.mail:mail:1.4.7) :
> CVE-2015-9097
> validation-api-1.1.0.Final.jar
> (cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~,
> javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499
> jaxb-api-2.2.2.jar (cpe:/a:fish:fish:2.2.2, cpe:/a:oracle:glassfish:2.2.2,
> javax.xml.bind:jaxb-api:2.2.2) : CVE-2015-2808, CVE-2013-2566
> pyrolite-4.13.jar (cpe:/a:pickle:pickle:4.13, net.razorvine:pyrolite:4.13)
> : CVE-2007-1100
> py4j-0.10.4.jar (cpe:/a:python:python:0.10.4,
> cpe:/a:python_software_foundation:python:0.10.4, net.sf.py4j:py4j:0.10.4) :
> CVE-2018-1000030, CVE-2017-18207, CVE-2017-17522, CVE-2017-1000158,
> CVE-2016-5699, CVE-2016-5636, CVE-2016-1494, CVE-2016-0772, CVE-2015-5652,
> CVE-2014-7185, CVE-2014-3539, CVE-2013-7440, CVE-2013-7338, CVE-2012-1150,
> CVE-2012-0845, CVE-2011-4940, CVE-2010-3492, CVE-2008-5983, CVE-2008-3143,
> CVE-2008-3142, CVE-2008-2315, CVE-2008-1887, CVE-2008-1721, CVE-2008-1679,
> CVE-2007-4559, CVE-2006-1542, CVE-2002-1119
> avro-mapred-1.7.7-hadoop2.jar (cpe:/a:apache:hadoop:1.7.7,
> org.apache.avro:avro-mapred:1.7.7) : CVE-2017-3162, CVE-2017-3161,
> CVE-2016-5001
> curator-recipes-2.6.0.jar (cpe:/a:apache:zookeeper:2.6.0,
> org.apache.curator:curator-recipes:2.6.0) : CVE-2016-5017, CVE-2014-0085
> api-util-1.0.0-M20.jar (cpe:/a:apache:directory_ldap_api:1.0.0.m30,
> org.apache.directory.api:api-util:1.0.0-M20) : CVE-2015-3250
> xbean-asm5-shaded-4.4.jar (cpe:/a:apache:geronimo:4.4) : CVE-2008-0732
> zookeeper-3.4.6.jar (cpe:/a:apache:zookeeper:3.4.6,
> org.apache.zookeeper:zookeeper:3.4.6) : CVE-2017-5637, CVE-2016-5017,
> CVE-2014-0085
> jackson-xc-1.9.13.jar (cpe:/a:fasterxml:jackson-databind:1.9.13,
> cpe:/a:fasterxml:jackson:1.9.13, org.codehaus.jackson:jackson-xc:1.9.13) :
> CVE-2018-5968, CVE-2017-17485
> jetty-http-9.2.19.v20160908.jar (cpe:/a:eclipse:jetty:9.2.19.v20160908,
> cpe:/a:jetty:jetty:9.2.19.v20160908,
> org.eclipse.jetty:jetty-http:9.2.19.v20160908) : CVE-2017-9735
> jetty-util-6.1.26.jar (cpe:/a:jetty:jetty:6.1.26,
> cpe:/a:mortbay:jetty:6.1.26, cpe:/a:mortbay_jetty:jetty:6.1.26,
> org.mortbay.jetty:jetty-util:6.1.26) : CVE-2011-4461
> unused-1.0.0.jar (cpe:/a:apache:spark:1.0.0,
> org.spark-project.spark:unused:1.0.0) : CVE-2017-7678
> xz-1.0.jar (cpe:/a:tukaani:xz:1.0, org.tukaani:xz:1.0) : CVE-2015-4035
> serializer-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1,
> xalan:serializer:2.7.1) : CVE-2014-0107
> xalan-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:xalan:2.7.1) :
> CVE-2014-0107
> xercesImpl-2.9.1.jar (cpe:/a:apache:xerces2_java:2.9.1,
> xerces:xercesImpl:2.9.1) : CVE-2012-0881
>
> htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> (com.fasterxml.jackson.core:jackson-databind:2.4.0,
> cpe:/a:fasterxml:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson:2.4.0) :
> CVE-2018-7489, CVE-2018-5968, CVE-2017-7525, CVE-2017-17485, CVE-2017-15095
>
> spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml
> (cpe:/a:eclipse:jetty:9.3.11.v20160721,
> cpe:/a:jetty:jetty:9.3.11.v20160721,
> org.eclipse.jetty:jetty-plus:9.3.11.v20160721) : CVE-2017-9735
>
> Kind regards,
> Volodymyr Vysotskyi
>


( ! ) Warning: include(msgfooter.php): failed to open stream: No such file or directory in /var/www/git/apache-calcite-development/msg03850.html on line 170
Call Stack
#TimeMemoryFunctionLocation
10.0008368760{main}( ).../msg03850.html:0

( ! ) Warning: include(): Failed opening 'msgfooter.php' for inclusion (include_path='.:/var/www/git') in /var/www/git/apache-calcite-development/msg03850.html on line 170
Call Stack
#TimeMemoryFunctionLocation
10.0008368760{main}( ).../msg03850.html:0