[lyo-dev] FW: [eclipse/lyo] [Snyk] Security upgrade org.apache.jena:apac

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[lyo-dev] FW: [eclipse/lyo] [Snyk] Security upgrade org.apache.jena:apache-jena-libs from 3.17.0 to 4.0.0 (#97)

From: Andrii Berezovskyi <andriib@xxxxxx>
Date: Tue, 6 Apr 2021 22:55:18 +0000
Accept-language: en-GB, en-US, sv-SE
Delivered-to: lyo-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/lyo-dev/>
List-help: <mailto:lyo-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/lyo-dev>, <mailto:lyo-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/lyo-dev>, <mailto:lyo-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHXKylG6AsK6Vn8G0mtWgTLAlUGAqqoGYCA
Thread-topic: [eclipse/lyo] [Snyk] Security upgrade org.apache.jena:apache-jena-libs from 3.17.0 to 4.0.0 (#97)

Hi everyone,

We did not actually have to wait long for the first CVE on Jena 3.17 (current version on Lyo 4.1.0-SNAPSHOT), see below. We will try to fix it by having a dependencyManagement entry for org.apache.thrift:libthrift at 0.14.0 but it’s only a matter of time this approach will fail, and we will be forced to migrate to Jena 4.0 and drop JDK 8 support from the current version of Lyo.

–Andrew.

From: Snyk bot <notifications@xxxxxxxxxx>
Date: Tuesday, 6 April 2021, W14 at 23:10
To: eclipse/lyo <lyo@xxxxxxxxxxxxxxxxxx>
Cc: Subscribed <subscribed@xxxxxxxxxxxxxxxxxx>
Subject: [eclipse/lyo] [Snyk] Security upgrade org.apache.jena:apache-jena-libs from 3.17.0 to 4.0.0 (#97)

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- pom.xml

Vulnerabilities that will be fixed

With an upgrade:

Severity	*Priority Score ()**	Issue	Upgrade	Breaking Change	Exploit Maturity
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JAVA-ORGAPACHETHRIFT-1074898	`org.apache.jena:apache-jena-libs:` `3.17.0 -> 4.0.0`	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

You can view, comment on, or merge this pull request online at:

https://github.com/eclipse/lyo/pull/97

Commit Summary

fix: pom.xml to reduce vulnerabilities

File Changes

M pom.xml (2)

Patch Links:

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

Prev by Date: [lyo-dev] Fwd: [ANN] Apache Jena 4.0.0
Next by Date: [lyo-dev] FW: [Add-On] Discover how to connect Capella with your ALM and RM systems
Previous by thread: [lyo-dev] Fwd: [ANN] Apache Jena 4.0.0
Next by thread: [lyo-dev] FW: [Add-On] Discover how to connect Capella with your ALM and RM systems
Index(es):
- Date
- Thread

Breadcrumbs