git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerabilities in calcite-spark module


Hi all. I've tried to update spark_core version to the latest 2.3.1 version
from maven central, and it still has security vulnerabilities.

пн, 25 июн. 2018 г. в 17:06, Michael Mior <mmior@xxxxxxxxxx>:

> Thanks for noting this. Agreed with Francis that we should fix before the
> release if possible. Hopefully, it's as simple as upgrading the
> dependencies and running tests to ensure no breaking changes have been
> introduced.
> --
> Michael Mior
> mmior@xxxxxxxxxx
>
>
>
> Le lun. 25 juin 2018 à 06:20, Volodymyr Vysotskyi <volodymyr@xxxxxxxxxx> a
> écrit :
>
> > Hi all,
> >
> > I found that a check for vulnerabilities among dependencies fails
> > for calcite-spark module.
> > The same problem is observed for 1.16 version.
> >
> > Should we block the release until this issue is fixed, or fix it after
> the
> > release in Calcite 1.18?
> >
> > Output for "mvn install -Ppedantic -DskipTests=true":
> > One or more dependencies were identified with known vulnerabilities in
> > Calcite Spark:
> >
> > jackson-databind-2.9.4.jar
> > (com.fasterxml.jackson.core:jackson-databind:2.9.4,
> > cpe:/a:fasterxml:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson:2.9.4)
> :
> > CVE-2018-7489
> > protobuf-java-3.3.0.jar (com.google.protobuf:protobuf-java:3.3.0,
> > cpe:/a:google:protobuf:3.3.0) : CVE-2015-5237
> > commons-beanutils-core-1.8.0.jar
> > (commons-beanutils:commons-beanutils-core:1.8.0,
> > cpe:/a:apache:commons_beanutils:1.8.0) : CVE-2014-0114
> > commons-beanutils-1.7.0.jar (commons-beanutils:commons-beanutils:1.7.0,
> > cpe:/a:apache:commons_beanutils:1.7.0) : CVE-2014-0114
> > commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1,
> > cpe:/a:apache:commons-httpclient:3.1, cpe:/a:apache:httpclient:3.1) :
> > CVE-2015-5262, CVE-2014-3577
> > javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2,
> > javax.annotation:javax.annotation-api:1.2) : CVE-2015-2808, CVE-2013-2566
> > mail-1.4.7.jar (cpe:/a:mail_project:mail:1.4.7, javax.mail:mail:1.4.7) :
> > CVE-2015-9097
> > validation-api-1.1.0.Final.jar
> > (cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~,
> > javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499
> > jaxb-api-2.2.2.jar (cpe:/a:fish:fish:2.2.2,
> cpe:/a:oracle:glassfish:2.2.2,
> > javax.xml.bind:jaxb-api:2.2.2) : CVE-2015-2808, CVE-2013-2566
> > pyrolite-4.13.jar (cpe:/a:pickle:pickle:4.13,
> net.razorvine:pyrolite:4.13)
> > : CVE-2007-1100
> > py4j-0.10.4.jar (cpe:/a:python:python:0.10.4,
> > cpe:/a:python_software_foundation:python:0.10.4,
> net.sf.py4j:py4j:0.10.4) :
> > CVE-2018-1000030, CVE-2017-18207, CVE-2017-17522, CVE-2017-1000158,
> > CVE-2016-5699, CVE-2016-5636, CVE-2016-1494, CVE-2016-0772,
> CVE-2015-5652,
> > CVE-2014-7185, CVE-2014-3539, CVE-2013-7440, CVE-2013-7338,
> CVE-2012-1150,
> > CVE-2012-0845, CVE-2011-4940, CVE-2010-3492, CVE-2008-5983,
> CVE-2008-3143,
> > CVE-2008-3142, CVE-2008-2315, CVE-2008-1887, CVE-2008-1721,
> CVE-2008-1679,
> > CVE-2007-4559, CVE-2006-1542, CVE-2002-1119
> > avro-mapred-1.7.7-hadoop2.jar (cpe:/a:apache:hadoop:1.7.7,
> > org.apache.avro:avro-mapred:1.7.7) : CVE-2017-3162, CVE-2017-3161,
> > CVE-2016-5001
> > curator-recipes-2.6.0.jar (cpe:/a:apache:zookeeper:2.6.0,
> > org.apache.curator:curator-recipes:2.6.0) : CVE-2016-5017, CVE-2014-0085
> > api-util-1.0.0-M20.jar (cpe:/a:apache:directory_ldap_api:1.0.0.m30,
> > org.apache.directory.api:api-util:1.0.0-M20) : CVE-2015-3250
> > xbean-asm5-shaded-4.4.jar (cpe:/a:apache:geronimo:4.4) : CVE-2008-0732
> > zookeeper-3.4.6.jar (cpe:/a:apache:zookeeper:3.4.6,
> > org.apache.zookeeper:zookeeper:3.4.6) : CVE-2017-5637, CVE-2016-5017,
> > CVE-2014-0085
> > jackson-xc-1.9.13.jar (cpe:/a:fasterxml:jackson-databind:1.9.13,
> > cpe:/a:fasterxml:jackson:1.9.13, org.codehaus.jackson:jackson-xc:1.9.13)
> :
> > CVE-2018-5968, CVE-2017-17485
> > jetty-http-9.2.19.v20160908.jar (cpe:/a:eclipse:jetty:9.2.19.v20160908,
> > cpe:/a:jetty:jetty:9.2.19.v20160908,
> > org.eclipse.jetty:jetty-http:9.2.19.v20160908) : CVE-2017-9735
> > jetty-util-6.1.26.jar (cpe:/a:jetty:jetty:6.1.26,
> > cpe:/a:mortbay:jetty:6.1.26, cpe:/a:mortbay_jetty:jetty:6.1.26,
> > org.mortbay.jetty:jetty-util:6.1.26) : CVE-2011-4461
> > unused-1.0.0.jar (cpe:/a:apache:spark:1.0.0,
> > org.spark-project.spark:unused:1.0.0) : CVE-2017-7678
> > xz-1.0.jar (cpe:/a:tukaani:xz:1.0, org.tukaani:xz:1.0) : CVE-2015-4035
> > serializer-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1,
> > xalan:serializer:2.7.1) : CVE-2014-0107
> > xalan-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:xalan:2.7.1) :
> > CVE-2014-0107
> > xercesImpl-2.9.1.jar (cpe:/a:apache:xerces2_java:2.9.1,
> > xerces:xercesImpl:2.9.1) : CVE-2012-0881
> >
> >
> htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> > (com.fasterxml.jackson.core:jackson-databind:2.4.0,
> > cpe:/a:fasterxml:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson:2.4.0)
> :
> > CVE-2018-7489, CVE-2018-5968, CVE-2017-7525, CVE-2017-17485,
> CVE-2017-15095
> >
> >
> spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml
> > (cpe:/a:eclipse:jetty:9.3.11.v20160721,
> > cpe:/a:jetty:jetty:9.3.11.v20160721,
> > org.eclipse.jetty:jetty-plus:9.3.11.v20160721) : CVE-2017-9735
> >
> > Kind regards,
> > Volodymyr Vysotskyi
> >
>


( ! ) Warning: include(msgfooter.php): failed to open stream: No such file or directory in /var/www/git/apache-calcite-development/msg03875.html on line 190
Call Stack
#TimeMemoryFunctionLocation
10.0006368760{main}( ).../msg03875.html:0

( ! ) Warning: include(): Failed opening 'msgfooter.php' for inclusion (include_path='.:/var/www/git') in /var/www/git/apache-calcite-development/msg03875.html on line 190
Call Stack
#TimeMemoryFunctionLocation
10.0006368760{main}( ).../msg03875.html:0