kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (Jira)" <j...@apache.org>
Subject [jira] [Commented] (KYLIN-4394) There are several CVEs in the project dependencies
Date Sat, 07 Mar 2020 13:24:00 GMT

    [ https://issues.apache.org/jira/browse/KYLIN-4394?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17054050#comment-17054050
] 

ASF GitHub Bot commented on KYLIN-4394:
---------------------------------------

zhangayqian commented on pull request #1148: KYLIN-4394 Update kylin dependency
URL: https://github.com/apache/kylin/pull/1148
 
 
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> There are several CVEs in the project dependencies
> --------------------------------------------------
>
>                 Key: KYLIN-4394
>                 URL: https://issues.apache.org/jira/browse/KYLIN-4394
>             Project: Kylin
>          Issue Type: Bug
>          Components: Security
>            Reporter: XuCongying
>            Assignee: Yaqian Zhang
>            Priority: Major
>         Attachments: apache-kylin_CVE-report.md
>
>
> I noticed some of your libraries contained CVEs. I suggest updating their versions to
increase the security of your project. The following is a detailed content.
>  * *Vulnerable Library Version:* org.scala-lang : scala-compiler : 2.11.0 *CVE ID:* [CVE-2017-15288|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15288]
*Import Path:* engine-flink/pom.xml, kylin-it/pom.xml, engine-spark/pom.xml *Suggested Safe
Versions:* 2.11.12, 2.12.10, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.12.8, 2.12.9, 2.13.0, 2.13.0-M1,
2.13.0-M2, 2.13.0-M3, 2.13.0-M3-f73b161, 2.13.0-M4, 2.13.0-M4-pre-20d3c21, 2.13.0-M5, 2.13.0-M5-1775dba,
2.13.0-M5-5eef812, 2.13.0-M5-6e0cba7, 2.13.0-RC1, 2.13.0-RC2, 2.13.0-RC3, 2.13.1
>  * *Vulnerable Library Version:* org.apache.tomcat : tomcat-catalina : 7.0.91 *CVE ID:*
[CVE-2016-8735|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735], [CVE-2019-0232|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232],
[CVE-2016-6794|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6794], [CVE-2016-6816|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816],
[CVE-2016-8745|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745], [CVE-2019-17563|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563]
*Import Path:* tomcat-ext/pom.xml, server/pom.xml, server-base/pom.xml *Suggested Safe Versions:*
10.0.0-M1, 7.0.100, 9.0.30, 9.0.31
>  * *Vulnerable Library Version:* com.h2database : h2 : 1.4.196 *CVE ID:* [CVE-2018-10054|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054],
[CVE-2018-14335|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335] *Import Path:*
server/pom.xml, kylin-it/pom.xml, source-jdbc/pom.xml, source-hive/pom.xml, datasource-sdk/pom.xml
*Suggested Safe Versions:* 1.4.198, 1.4.199, 1.4.200
>  * *Vulnerable Library Version:* com.google.guava : guava : 14.0 *CVE ID:* [CVE-2018-10237|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237]
*Import Path:* core-storage/pom.xml, stream-receiver/pom.xml, server/pom.xml, core-cube/pom.xml,
core-metadata/pom.xml, jdbc/pom.xml, tool-assembly/pom.xml, core-metrics/pom.xml *Suggested
Safe Versions:* 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre,
26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android,
27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre
>  * *Vulnerable Library Version:* org.apache.hive.hcatalog : hive-hcatalog-core : 1.2.1
*CVE ID:* [CVE-2015-7521|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521] *Import
Path:* metrics-reporter-hive/pom.xml, assembly/pom.xml, server/pom.xml, kylin-it/pom.xml,
source-jdbc/pom.xml, source-hive/pom.xml, server-base/pom.xml *Suggested Safe Versions:* 1.2.2,
2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0,
3.1.0, 3.1.1, 3.1.2
>  * *Vulnerable Library Version:* org.apache.spark : spark-core_2.11 : 2.3.2 *CVE ID:*
[CVE-2017-7678|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7678], [CVE-2018-3826|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3826],
[CVE-2018-11770|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11770], [CVE-2019-10099|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10099]
*Import Path:* server/pom.xml, kylin-it/pom.xml, engine-spark/pom.xml, storage-hbase/pom.xml
*Suggested Safe Versions:* 2.4.5
>  * *Vulnerable Library Version:* org.apache.kafka : kafka_2.11 : 1.0.0 *CVE ID:* [CVE-2018-1288|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288],
[CVE-2019-17196|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17196] *Import Path:*
assembly/pom.xml, source-kafka/pom.xml, kylin-it/pom.xml, stream-source-kafka/pom.xml, metrics-reporter-kafka/pom.xml
*Suggested Safe Versions:* 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0
>  * *Vulnerable Library Version:* org.apache.hive : hive-jdbc : 1.2.1 *CVE ID:* [CVE-2016-3083|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083],
[CVE-2015-7521|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521], [CVE-2018-1282|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1282]
*Import Path:* server/pom.xml, source-jdbc/pom.xml, source-hive/pom.xml *Suggested Safe Versions:*
2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
>  * *Vulnerable Library Version:* org.apache.hadoop : hadoop-hdfs : 2.7.1 *CVE ID:* [CVE-2016-5001|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5001],
[CVE-2018-11768|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11768] *Import Path:*
metrics-reporter-hive/pom.xml, assembly/pom.xml, stream-core/pom.xml, stream-receiver/pom.xml,
server/pom.xml, kylin-it/pom.xml, engine-mr/pom.xml, storage-hbase/pom.xml *Suggested Safe
Versions:* 2.10.0, 2.8.5, 2.9.2, 3.1.2, 3.1.3, 3.2.0, 3.2.1
>  * *Vulnerable Library Version:* org.springframework : spring-core : 4.3.10.RELEASE *CVE
ID:* [CVE-2018-1272|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1272] *Import
Path:* tool/pom.xml *Suggested Safe Versions:* 4.3.15.RELEASE, 4.3.16.RELEASE, 4.3.17.RELEASE,
4.3.18.RELEASE, 4.3.19.RELEASE, 4.3.20.RELEASE, 4.3.21.RELEASE, 4.3.22.RELEASE, 4.3.23.RELEASE,
4.3.24.RELEASE, 4.3.25.RELEASE, 4.3.26.RELEASE, 5.0.10.RELEASE, 5.0.11.RELEASE, 5.0.12.RELEASE,
5.0.13.RELEASE, 5.0.14.RELEASE, 5.0.15.RELEASE, 5.0.16.RELEASE, 5.0.5.RELEASE, 5.0.6.RELEASE,
5.0.7.RELEASE, 5.0.8.RELEASE, 5.0.9.RELEASE, 5.1.0.RELEASE, 5.1.1.RELEASE, 5.1.10.RELEASE,
5.1.11.RELEASE, 5.1.12.RELEASE, 5.1.13.RELEASE, 5.1.2.RELEASE, 5.1.3.RELEASE, 5.1.4.RELEASE,
5.1.5.RELEASE, 5.1.6.RELEASE, 5.1.7.RELEASE, 5.1.8.RELEASE, 5.1.9.RELEASE, 5.2.0.RELEASE,
5.2.1.RELEASE, 5.2.2.RELEASE, 5.2.3.RELEASE
>  * *Vulnerable Library Version:* com.fasterxml.jackson.core : jackson-databind : 2.9.5
*CVE ID:* [CVE-2019-16335|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16335],
[CVE-2019-12814|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814], [CVE-2018-19362|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362],
[CVE-2018-19360|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360], [CVE-2019-14439|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439],
[CVE-2019-16943|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943], [CVE-2019-14379|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379],
[CVE-2019-14540|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540], [CVE-2019-17267|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267],
[CVE-2018-12023|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12023], [CVE-2020-8840|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840],
[CVE-2019-20330|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330], [CVE-2019-12384|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384],
[CVE-2019-12086|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086], [CVE-2018-14720|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14720],
[CVE-2018-14721|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721], [CVE-2018-14719|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14719],
[CVE-2019-17531|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531], [CVE-2018-14718|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718],
[CVE-2018-11307|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11307], [CVE-2018-19361|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361],
[CVE-2019-16942|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942] *Import Path:*
core-common/pom.xml, stream-receiver/pom.xml *Suggested Safe Versions:* 2.10.0, 2.10.1, 2.10.2,
2.9.10.3
>  * *Vulnerable Library Version:* org.springframework.security : spring-security-core
: 4.2.3.RELEASE *CVE ID:* [CVE-2019-3795|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3795],
[CVE-2019-11272|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11272] *Import Path:*
stream-receiver/pom.xml *Suggested Safe Versions:* 4.2.13.RELEASE, 4.2.14.RELEASE, 5.0.12.RELEASE,
5.0.13.RELEASE, 5.0.14.RELEASE, 5.1.5.RELEASE, 5.1.6.RELEASE, 5.1.7.RELEASE, 5.1.8.RELEASE,
5.2.0.RELEASE, 5.2.1.RELEASE, 5.2.2.RELEASE
>  * *Vulnerable Library Version:* org.apache.hadoop : hadoop-common : 2.7.1 *CVE ID:*
[CVE-2016-5393|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5393], [CVE-2018-8009|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009],
[CVE-2016-6811|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811], [CVE-2017-15718|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15718],
[CVE-2016-3086|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3086], [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713],
[CVE-2018-8029|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029] *Import Path:*
core-storage/pom.xml, tomcat-ext/pom.xml...(The rest of the 33 paths is hidden.) *Suggested
Safe Versions:* 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
>  * *Vulnerable Library Version:* org.apache.httpcomponents : httpclient : 4.2.5 *CVE
ID:* [CVE-2014-3577|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577], [CVE-2015-5262|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5262]
*Import Path:* core-common/pom.xml, jdbc/pom.xml *Suggested Safe Versions:* 4.3.6, 4.4, 4.4-alpha1,
4.4-beta1, 4.4.1, 4.5, 4.5.1, 4.5.10, 4.5.11, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8,
4.5.9
>  * *Vulnerable Library Version:* org.springframework : spring-webmvc : 4.3.10.RELEASE
*CVE ID:* [CVE-2018-15756|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756],
[CVE-2018-1271|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271], [CVE-2018-1199|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199]
*Import Path:* stream-receiver/pom.xml, server-base/pom.xml *Suggested Safe Versions:* 4.3.20.RELEASE,
4.3.21.RELEASE, 4.3.22.RELEASE, 4.3.23.RELEASE, 4.3.24.RELEASE, 4.3.25.RELEASE, 4.3.26.RELEASE,
5.0.16.RELEASE, 5.1.13.RELEASE, 5.2.3.RELEASE
>  * *Vulnerable Library Version:* org.apache.hadoop : hadoop-mapreduce-client-core : 2.7.1
*CVE ID:* [CVE-2017-3166|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3166] *Import
Path:* engine-flink/pom.xml, server/pom.xml, kylin-it/pom.xml, engine-mr/pom.xml *Suggested
Safe Versions:* 2.10.0, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5,
2.9.0, 2.9.1, 2.9.2, 3.0.0-alpha4, 3.0.0-beta1, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2,
3.1.3, 3.2.0, 3.2.1
>  * *Vulnerable Library Version:* org.apache.commons : commons-compress : 1.18 *CVE ID:*
[CVE-2019-12402|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402] *Import Path:*
core-common/pom.xml *Suggested Safe Versions:* 1.19, 1.20
>  * *Vulnerable Library Version:* org.eclipse.jetty : jetty-server : 9.3.22.v20171030
*CVE ID:* [CVE-2017-7656|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656], [CVE-2019-10247|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247],
[CVE-2017-7657|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657], [CVE-2017-7658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658],
[CVE-2018-12536|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536] *Import Path:*
stream-receiver/pom.xml, server/pom.xml, server-base/pom.xml *Suggested Safe Versions:* 10.0.0-alpha0,
10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.24.v20191120,
9.4.25.v20191220, 9.4.26.v20200117
>  * *Vulnerable Library Version:* mysql : mysql-connector-java : 5.1.8 *CVE ID:* [CVE-2019-2692|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2692],
[CVE-2017-3523|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3523], [CVE-2017-3589|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589]
*Import Path:* core-common/pom.xml, server/pom.xml, kylin-it/pom.xml *Suggested Safe Versions:*
8.0.16, 8.0.17, 8.0.18, 8.0.19
>  * *Vulnerable Library Version:* org.postgresql : postgresql : 42.1.1 *CVE ID:* [CVE-2018-10936|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10936]
*Import Path:* datasource-sdk/pom.xml *Suggested Safe Versions:* 42.2.10, 42.2.10.jre6, 42.2.10.jre7,
42.2.5, 42.2.5.jre6, 42.2.5.jre7, 42.2.6, 42.2.6.jre6, 42.2.6.jre7, 42.2.7, 42.2.7.jre6, 42.2.7.jre7,
42.2.8, 42.2.8.jre6, 42.2.8.jre7, 42.2.9, 42.2.9.jre6, 42.2.9.jre7
>  * *Vulnerable Library Version:* xerces : xercesImpl : 2.11.0 *CVE ID:* [CVE-2012-0881|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881],
[CVE-2013-4002|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002] *Import Path:*
kylin-it/pom.xml *Suggested Safe Versions:* 2.12.0



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message