phoenix-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karan Mehta (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-5078) Phoenix depends on Guava 13.0.1 which has CVE-2018-10237
Date Wed, 02 Jan 2019 21:12:00 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-5078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16732428#comment-16732428
] 

Karan Mehta commented on PHOENIX-5078:
--------------------------------------

[~apurtell] Thoughts?

> Phoenix depends on Guava 13.0.1 which has CVE-2018-10237
> --------------------------------------------------------
>
>                 Key: PHOENIX-5078
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-5078
>             Project: Phoenix
>          Issue Type: Bug
>    Affects Versions: 4.14.1
>            Reporter: Jerry Chabot
>            Priority: Major
>
> Phoenix has a dependency on guava 13.0.1. This cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237
specifies a vulnerability in Guava 11.0 through 24.x. It is an unbounded memory allocation
that allows remote attackers to conduct denial of service attacks. Does this apply to Phoenix?
> I want to upgrade our product dependency on Guava. But, doing so had caused problems
with Phoenix in the past. Currently, our product's quava dependency has been stuck at Guava
15.0 to avoid Phoenix issues.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message