Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version of com.google.guava:guava used in 2.6.x contains known security vulnerability #8937

Closed
annacox opened this issue Jan 11, 2019 · 1 comment
Closed

Version of com.google.guava:guava used in 2.6.x contains known security vulnerability #8937

annacox opened this issue Jan 11, 2019 · 1 comment
Labels
closed:invalid

Comments

@annacox
Copy link

annacox commented Jan 11, 2019

Play Version (2.5.x / etc)

2.6.x

API (Scala / Java / Neither / Both)

Scala

Operating System (Ubuntu 15.10 / MacOS 10.10 / Windows 10)

all

JDK (Oracle 1.8.0_72, OpenJDK 1.8.x, Azul Zing)

1.8.0_192

Library Dependencies

com.google.guava:guava

Expected Behavior

The current version of com.google.guava:guava (23.6.1-jre) that is being used by playframework 2.6.21 contains a security vulnerability. See https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236 for details. I see that this library has been updated in 2.7.0-RC9 but would it be possible to apply the same update to a stable release for use in production?
@marcospereira
Copy link
Member

According to Guava 23.6.1 release notes, it has a fix for CVE-2018-10237 (the one reported by Snyk).

I'm closing this since it looks like a false positive from Snyk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed:invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marcospereira @dwijnand @annacox