Skip to content

Upgrade commons-compress to version 1.19 due to CVE-2018-11771 #1199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
spmallette merged 1 commit into from
Sep 30, 2019
Merged

Upgrade commons-compress to version 1.19 due to CVE-2018-11771 #1199

spmallette merged 1 commit into from
Sep 30, 2019

Conversation

@justinchuch
Copy link
Contributor

@justinchuch justinchuch commented Sep 23, 2019

CVE-2018-11771

According to sourceclear:

https://www.sourceclear.com/vulnerability-database/security/denial-of-service-dos-/java/sid-7319

commons-compress is vulnerable to denial of service (DoS) attacks.

Although it looks like hadoop-gremlin does not use the library directly, but still may be worth upgrading it.

Run docker/build.sh -t -i on my local, and the Reactor Summary reports BUILD SUCCESS.

@justinchuch justinchuch mentioned this pull request Sep 23, 2019
Closed
@spmallette
Copy link
Contributor

spmallette commented Sep 23, 2019

VOTE +1

@robertdale
Copy link
Member

robertdale commented Sep 24, 2019

VOTE +0
I'm not against the change but in the grand scheme of things it does very little. Between spark, sparql, and hadoop -gremlins, there are multiple high and medium severity issues. Unfortunately, the versions we use or their transitive dependencies aren't really maintained any more hence the difficulty, even impossibility, in trying to update any of them.

@spmallette
Copy link
Contributor

spmallette commented Sep 24, 2019

That's a decent point. Let's consider that thinking for future PRs of this nature. I hope we can make a big upgrade on these spark/hadoop dependencies in 3.5.0. I didn't realize sparql stuff was heavily dated - that might be able to be resolved more easily prior to 3.5.0 (unless you already tried @robertdale )

@justinchuch
Copy link
Contributor Author

justinchuch commented Sep 24, 2019

Agree. If possible, perhaps define a list of supported libraries that may keep maintained?

@spmallette spmallette merged commit 54cf91d into apache:tp33 Sep 30, 2019
spmallette added a commit that referenced this pull request Sep 30, 2019
@spmallette
Resolved some dependency problems from #1199 and #1200 after merge fr…
efde61e 
…om tp33 CTR
@justinchuch justinchuch deleted the CVE-2018-11771-tp33 branch September 30, 2019 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@justinchuch @spmallette @robertdale