Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Whitesource vulnerabilities in eureka-client and eureka-server #1387

Open
AmitAmar opened this issue Apr 11, 2021 · 3 comments
Open

Whitesource vulnerabilities in eureka-client and eureka-server #1387

AmitAmar opened this issue Apr 11, 2021 · 3 comments

Comments

@AmitAmar
Copy link

Hi,

We are using eureka-client and eureka-server (version: 1.10.13) and we saw some vulnerabilities in your jars:

log4j-1.2.16.jar
jackson-dataformat-cbor-2.6.7.jar
xstream-1.4.15.jar

Do you know when those vulnerabilities will be fixed?

Thanks and have a nice day,

Amit.
@troshko111
Copy link
Contributor

xstream updated, PRs welcome for the other two.

@AmitAmar
Copy link
Author

AmitAmar commented Apr 22, 2021
edited

Done :)

#1388

Thank you!

@troshko111 troshko111 mentioned this issue May 18, 2021
Merged
@kkrakovych
Copy link

Hi Team,

I would like to create a new patch to address the issue, because eureka-server still has log4j-1.2.16.jar and jackson-dataformat-cbor-2.6.7.jar.

I would like to upgrade all slf4j libraries to 1.7.35 (to get rid of log4j-1.2.16), upgrade all jackson libraries to 2.11.4 plus explicitly specify jackson-dataformat-cbor version (2.6.7 arrives from aws-java-sdk-core).

Any objection?

Best regards,
Kostyantyn

kkrakovych added a commit to kkrakovych/eureka that referenced this issue Feb 13, 2022
@kkrakovych
Upgrade jackson to 2.11.4 and slf4j to 1.7.36
3f67472 
Whitesource vulnerabilities in eureka-client and eureka-server (Netflix#1387)
@kkrakovych kkrakovych mentioned this issue Feb 13, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@troshko111 @kkrakovych @AmitAmar