Potential security vulnerability in the zstd C library.Can you help upgrade to patch versions?

[HelenParr]

Hi, @eyalschneider, I'd like to report a vulnerability issue in org.pipecraft.pipes:pipes-core:0.9.1.

Issue Description

I noticed that org.pipecraft.pipes:pipes-core:0.9.1 directly depends on com.github.luben:zstd-jni:v1.4.4-2 in the pom. However, as shown in the following dependency graph, com.github.luben:zstd-jni:v1.4.4-2 sufferes from the vulnerability which the C library zstd(version:1.4.4) exposed: CVE-2021-24032.

Dependency Graph between Java and Shared Libraries

Suggested Vulnerability Patch Versions

com.github.luben:zstd-jni:v1.4.9-1 (>=v1.4.9-1) has upgraded this vulnerable C library zstd to the patch version 1.4.9.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?

Thanks for your help~
Best regards,
Helen Parr

[eyalschneider]

Thanks for reporting!
I upgraded zstd-jni version as requested, and the fix will be included in official version 0.92 once deployed to maven central.