[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 7 Dec 2018 17:06:27 +0300
From: Dmitriy Pavlov <dpavlov@...che.org>
To: user <user@...ite.apache.org>, dev <dev@...ite.apache.org>,
"security@...ite.apache.org" <security@...ite.apache.org>, announce@...che.org,
oss-security@...ts.openwall.com
Subject: [ANNOUNCE] Apache Ignite 2.7.0 Vulnerable Dependecies Updates
The Apache Ignite Community is pleased to announce that recently released
Apache Ignite 2.7.0 replaces some vulnerable dependencies to versions with
fixes.
Apache Ignite https://ignite.apache.org/ is a memory-centric distributed
database, caching, and processing platform for transactional, analytical,
and streaming workloads delivering in-memory speeds at petabyte scale.
Apache Ignite 2.7 replaced following dependencies in to avoid usage of
vulnerable 3rd party software by end users:
Apache Log4j
https://nvd.nist.gov/vuln/detail/CVE-2017-5645
FasterXML jackson-databind
https://nvd.nist.gov/vuln/detail/CVE-2017-15095 ,
https://nvd.nist.gov/vuln/detail/CVE-2017-17485 ,
https://nvd.nist.gov/vuln/detail/CVE-2017-7525 ,
https://nvd.nist.gov/vuln/detail/CVE-2018-5968 ,
https://nvd.nist.gov/vuln/detail/CVE-2018-7489
Scala
https://nvd.nist.gov/vuln/detail/CVE-2017-15288
Apache Commons
https://nvd.nist.gov/vuln/detail/CVE-2015-6420 ,
https://nvd.nist.gov/vuln/detail/CVE-2015-7501 ,
https://nvd.nist.gov/vuln/detail/CVE-2017-15708
Netty Project
https://nvd.nist.gov/vuln/detail/CVE-2016-4970
JCraft
https://nvd.nist.gov/vuln/detail/CVE-2016-5725
Apache Tomcat
https://nvd.nist.gov/vuln/detail/CVE-2016-3092 ,
https://nvd.nist.gov/vuln/detail/CVE-2016-8735 ,
https://nvd.nist.gov/vuln/detail/CVE-2018-8014
Guava
https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Apache Camel
https://nvd.nist.gov/vuln/detail/CVE-2015-5344 ,
https://nvd.nist.gov/vuln/detail/CVE-2015-5348 ,
https://nvd.nist.gov/vuln/detail/CVE-2016-8749 ,
https://nvd.nist.gov/vuln/detail/CVE-2017-12633 ,
https://nvd.nist.gov/vuln/detail/CVE-2017-12634 ,
https://nvd.nist.gov/vuln/detail/CVE-2017-3159 ,
https://nvd.nist.gov/vuln/detail/CVE-2017-5643
Spring Framework
https://nvd.nist.gov/vuln/detail/CVE-2018-1257 ,
https://nvd.nist.gov/vuln/detail/CVE-2018-1258
Spring Data Commons
https://nvd.nist.gov/vuln/detail/CVE-2018-1259 ,
https://nvd.nist.gov/vuln/detail/CVE-2018-1273
Jetty
https://nvd.nist.gov/vuln/detail/CVE-2016-4800 ,
https://nvd.nist.gov/vuln/detail/CVE-2017-9735 ,
https://nvd.nist.gov/vuln/detail/CVE-2016-4800 ,
https://nvd.nist.gov/vuln/detail/CVE-2017-9735 ,
https://nvd.nist.gov/vuln/detail/CVE-2016-4800 ,
https://nvd.nist.gov/vuln/detail/CVE-2017-7658
Lucene
https://nvd.nist.gov/vuln/detail/CVE-2017-12629
Mitigation:
• Upgrade to Apache Ignite 2.7 or later version
Credit:
Segu Riluvan discovered the usage of vulnerable modules in dependencies of
Apache Ignite.
Thanks for everyone who was involved into dependencies migration.
Best Regards,
Dmitriy Pavlov on behalf of Apache Ignite community
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
