Uploaded image for project: 'Apache Avro'
  1. Apache Avro
  2. AVRO-3111

Update Hadoop versions to prevent false-positive security reports

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.10.1, 1.10.2
    • 1.11.0
    • java
    • None

    • Docker image built on library/buildpack-deps:buster-curl (buildpack-deps (docker.com))

    Description

      When installing avro-tools in a container on a debian image, my company's image scanner reports CVE-2019-17195:

      Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.

      I see other Apache projects have had this CVE reported and have been fixed, but did not see where this was reported for Apache Avro Tools specifically.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. AVRO-3151 Black Duck SEV-4 issue "Improper Check for Unusual or Exceptional Conditions" for Apache Avro 1.10.2

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-16690 Update dependency com.nimbusds:nimbus-jose-jwt due to security vulnerability

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link CVE-2019-17195

          Web Link GitHub Pull Request #1188

          Web Link https://github.com/apache/avro/pull/1007

          Activity

            People

              iemejia Ismaël Mejía
              dday376@yahoo.com David L. Day
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: