Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE suppression #12535

Merged
merged 1 commit into from
May 19, 2022
Merged

CVE suppression #12535

merged 1 commit into from
May 19, 2022

Conversation

AmatyaAvadhanula
Copy link
Contributor

@AmatyaAvadhanula AmatyaAvadhanula commented May 18, 2022
edited
Loading

Suppress

  1. Ambari -> ambari-metrics-common-2.7.0.0.0.jar -> CVE-2021-4104, CVE-2020-9493, CVE-2022-23307, CVE-2022-23305, CVE-2022-23302
  • The CVEs are being suppressed since Ambari hasn't been updated in a long time. Might consider eliminating this dependency in the future
  1. GSON -> gson-*.jar -> CVE-2022-25647
  1. Jackson -> *jackson-*.jar -> CVE-2020-36518
  1. Jedis -> jedis-2.9.0.jar -> CVE-2021-32626, CVE-2022-24735
  • The Jedis vulnerabilities are due to lua script execution in Redis. This is not applicable to druid
  1. Solr -> solr-solrj-7.7.1.jar -> CVE-2021-44548
  • This CVE only affects Windows and is not applicable to druid

cryptoe
cryptoe approved these changes May 19, 2022
View reviewed changes
Copy link
Contributor

@cryptoe cryptoe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM !!

@abhishekagarwal87 abhishekagarwal87 added this to the 0.23.0 milestone May 19, 2022
@abhishekagarwal87 abhishekagarwal87 merged commit 215b90d into apache:master May 19, 2022
@abhishekagarwal87
Copy link
Contributor

Thank you @AmatyaAvadhanula. can you also create a backport PR?

AmatyaAvadhanula added a commit to AmatyaAvadhanula/druid that referenced this pull request May 19, 2022
@AmatyaAvadhanula
CVE suppression (apache#12535)
771f3df
@AmatyaAvadhanula AmatyaAvadhanula mentioned this pull request May 19, 2022
Merged
@AmatyaAvadhanula
Copy link
Contributor Author

Thank you @AmatyaAvadhanula. can you also create a backport PR?

@abhishekagarwal87 Please find it at #12543

abhishekagarwal87 pushed a commit that referenced this pull request May 19, 2022
@AmatyaAvadhanula
CVE suppression (#12535) (#12543)
7b62bb9
@FrankChen021 FrankChen021 mentioned this pull request Oct 22, 2022
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cryptoe cryptoe cryptoe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.23.0
Development

Successfully merging this pull request may close these issues.
3 participants
@AmatyaAvadhanula @abhishekagarwal87 @cryptoe