[ZOOKEEPER-4644] Update 3rd party library versions before release 3.6.4 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.6.3
Fix Version/s: 3.6.4
Component/s: None
Labels:
- pull-request-available

Description

The last 3.6 release happened long time ago and before releasing 3.6.4, we need to make sure that no 3rd party libraries has any CVE issues. I run CVE checks and compared the 3pp library versions between the active branches and plan to update some libraries.

mvn clean package -DskipTests dependency-check:check

(...)

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project zookeeper: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': 
[ERROR] 
[ERROR] commons-cli-1.2.jar: CVE-2021-37533(6.5)
[ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), CVE-2022-42004(7.5)
[ERROR] jetty-io-9.4.43.v20210629.jar: CVE-2022-2047(2.7), CVE-2022-2048(7.5)
[ERROR] jetty-server-9.4.43.v20210629.jar: CVE-2022-2047(2.7), CVE-2022-2048(7.5)
[ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-24823(5.5)

beside these we might need to update some maven plugins.

Attachments

Issue Links

is blocked by

ZOOKEEPER-4627 High CVE-2022-2048 in jetty-*-9.4.46.v20220331.jar fixed in 9.4.47

Closed

ZOOKEEPER-4645 Backport ZOOKEEPER-3941 (commons-cli upgrade) to branch-3.6

Closed

links to

GitHub Pull Request #1956

GitHub Pull Request #1957

Activity

People

Assignee:: Mate Szalay-Beko

Reporter:: Mate Szalay-Beko

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 08/Dec/22 10:38

Updated:: 09/Oct/23 11:20

Resolved:: 13/Dec/22 08:59

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1h 40m