| [cross-project-issues-dev] [Bug 547338] Update to guava 24.1.1+ (fix CVE-2018-10237) |
|
Thanks to Fred Bricon who suggested that I contact this list: >>Usually, guava versions need to be aligned across all Eclipse projects, so you might want to raise the issue in the cross-projects ML My team builds an Eclipse product which includes m2e. Our company policy requires us to scan for CVEs and we found several affecting m2e, including CVE-2018-10237, which m2e is exposed to via dependence on a vulnerable version of guava. m2e is currently using 21.0.0 which is the latest which is currently available in Orbit. The CVE is fixed starting with guava 24.1.1. The latest guava release is 27.1. In order to work around this issue, my team forked m2e locally and updated our fork to use guava 27.0.1 (as mentioned in Bug 547338). I’d like to add guava 27.0.1 or 27.1 (pending compatibility investigation) to orbit so that eclipse projects can switch to a guava that is not vulnerable to any published CVEs. I plan to open a change request with Orbit for this. What else is needed to move this forward in time for 2019-06? |