calcite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Mior <mm...@apache.org>
Subject Re: Vulnerabilities in calcite-spark module
Date Mon, 25 Jun 2018 14:06:39 GMT
Thanks for noting this. Agreed with Francis that we should fix before the
release if possible. Hopefully, it's as simple as upgrading the
dependencies and running tests to ensure no breaking changes have been
introduced.
--
Michael Mior
mmior@apache.org



Le lun. 25 juin 2018 à 06:20, Volodymyr Vysotskyi <volodymyr@apache.org> a
écrit :

> Hi all,
>
> I found that a check for vulnerabilities among dependencies fails
> for calcite-spark module.
> The same problem is observed for 1.16 version.
>
> Should we block the release until this issue is fixed, or fix it after the
> release in Calcite 1.18?
>
> Output for "mvn install -Ppedantic -DskipTests=true":
> One or more dependencies were identified with known vulnerabilities in
> Calcite Spark:
>
> jackson-databind-2.9.4.jar
> (com.fasterxml.jackson.core:jackson-databind:2.9.4,
> cpe:/a:fasterxml:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson:2.9.4) :
> CVE-2018-7489
> protobuf-java-3.3.0.jar (com.google.protobuf:protobuf-java:3.3.0,
> cpe:/a:google:protobuf:3.3.0) : CVE-2015-5237
> commons-beanutils-core-1.8.0.jar
> (commons-beanutils:commons-beanutils-core:1.8.0,
> cpe:/a:apache:commons_beanutils:1.8.0) : CVE-2014-0114
> commons-beanutils-1.7.0.jar (commons-beanutils:commons-beanutils:1.7.0,
> cpe:/a:apache:commons_beanutils:1.7.0) : CVE-2014-0114
> commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1,
> cpe:/a:apache:commons-httpclient:3.1, cpe:/a:apache:httpclient:3.1) :
> CVE-2015-5262, CVE-2014-3577
> javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2,
> javax.annotation:javax.annotation-api:1.2) : CVE-2015-2808, CVE-2013-2566
> mail-1.4.7.jar (cpe:/a:mail_project:mail:1.4.7, javax.mail:mail:1.4.7) :
> CVE-2015-9097
> validation-api-1.1.0.Final.jar
> (cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~,
> javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499
> jaxb-api-2.2.2.jar (cpe:/a:fish:fish:2.2.2, cpe:/a:oracle:glassfish:2.2.2,
> javax.xml.bind:jaxb-api:2.2.2) : CVE-2015-2808, CVE-2013-2566
> pyrolite-4.13.jar (cpe:/a:pickle:pickle:4.13, net.razorvine:pyrolite:4.13)
> : CVE-2007-1100
> py4j-0.10.4.jar (cpe:/a:python:python:0.10.4,
> cpe:/a:python_software_foundation:python:0.10.4, net.sf.py4j:py4j:0.10.4) :
> CVE-2018-1000030, CVE-2017-18207, CVE-2017-17522, CVE-2017-1000158,
> CVE-2016-5699, CVE-2016-5636, CVE-2016-1494, CVE-2016-0772, CVE-2015-5652,
> CVE-2014-7185, CVE-2014-3539, CVE-2013-7440, CVE-2013-7338, CVE-2012-1150,
> CVE-2012-0845, CVE-2011-4940, CVE-2010-3492, CVE-2008-5983, CVE-2008-3143,
> CVE-2008-3142, CVE-2008-2315, CVE-2008-1887, CVE-2008-1721, CVE-2008-1679,
> CVE-2007-4559, CVE-2006-1542, CVE-2002-1119
> avro-mapred-1.7.7-hadoop2.jar (cpe:/a:apache:hadoop:1.7.7,
> org.apache.avro:avro-mapred:1.7.7) : CVE-2017-3162, CVE-2017-3161,
> CVE-2016-5001
> curator-recipes-2.6.0.jar (cpe:/a:apache:zookeeper:2.6.0,
> org.apache.curator:curator-recipes:2.6.0) : CVE-2016-5017, CVE-2014-0085
> api-util-1.0.0-M20.jar (cpe:/a:apache:directory_ldap_api:1.0.0.m30,
> org.apache.directory.api:api-util:1.0.0-M20) : CVE-2015-3250
> xbean-asm5-shaded-4.4.jar (cpe:/a:apache:geronimo:4.4) : CVE-2008-0732
> zookeeper-3.4.6.jar (cpe:/a:apache:zookeeper:3.4.6,
> org.apache.zookeeper:zookeeper:3.4.6) : CVE-2017-5637, CVE-2016-5017,
> CVE-2014-0085
> jackson-xc-1.9.13.jar (cpe:/a:fasterxml:jackson-databind:1.9.13,
> cpe:/a:fasterxml:jackson:1.9.13, org.codehaus.jackson:jackson-xc:1.9.13) :
> CVE-2018-5968, CVE-2017-17485
> jetty-http-9.2.19.v20160908.jar (cpe:/a:eclipse:jetty:9.2.19.v20160908,
> cpe:/a:jetty:jetty:9.2.19.v20160908,
> org.eclipse.jetty:jetty-http:9.2.19.v20160908) : CVE-2017-9735
> jetty-util-6.1.26.jar (cpe:/a:jetty:jetty:6.1.26,
> cpe:/a:mortbay:jetty:6.1.26, cpe:/a:mortbay_jetty:jetty:6.1.26,
> org.mortbay.jetty:jetty-util:6.1.26) : CVE-2011-4461
> unused-1.0.0.jar (cpe:/a:apache:spark:1.0.0,
> org.spark-project.spark:unused:1.0.0) : CVE-2017-7678
> xz-1.0.jar (cpe:/a:tukaani:xz:1.0, org.tukaani:xz:1.0) : CVE-2015-4035
> serializer-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1,
> xalan:serializer:2.7.1) : CVE-2014-0107
> xalan-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:xalan:2.7.1) :
> CVE-2014-0107
> xercesImpl-2.9.1.jar (cpe:/a:apache:xerces2_java:2.9.1,
> xerces:xercesImpl:2.9.1) : CVE-2012-0881
>
> htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> (com.fasterxml.jackson.core:jackson-databind:2.4.0,
> cpe:/a:fasterxml:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson:2.4.0) :
> CVE-2018-7489, CVE-2018-5968, CVE-2017-7525, CVE-2017-17485, CVE-2017-15095
>
> spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml
> (cpe:/a:eclipse:jetty:9.3.11.v20160721,
> cpe:/a:jetty:jetty:9.3.11.v20160721,
> org.eclipse.jetty:jetty-plus:9.3.11.v20160721) : CVE-2017-9735
>
> Kind regards,
> Volodymyr Vysotskyi
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message