Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] [Bug 547338] Update to guava 24.1.1+ (fix CVE-2018-10237)

On Wed, 2019-05-15 at 19:38 +0000, Homer, Tony wrote:
> Thanks to Fred Bricon who suggested that I contact this list:
> >>Usually, guava versions need to be aligned across all Eclipse projects, so you might want to raise the issue in the cross-projects ML 
> My team builds an Eclipse product which includes m2e.
> Our company policy requires us to scan for CVEs and we found several affecting m2e, including CVE-2018-10237, which m2e is exposed to via dependence on a vulnerable version of guava.
> m2e is currently using 21.0.0 which is the latest which is currently available in Orbit.
> The CVE is fixed starting with guava 24.1.1.
> The latest guava release is 27.1.
> In order to work around this issue, my team forked m2e locally and updated our fork to use guava 27.0.1 (as mentioned in Bug 547338).
> I’d like to add guava 27.0.1 or 27.1 (pending compatibility investigation) to orbit so that eclipse projects can switch to a guava that is not vulnerable to any published CVEs.
> I plan to open a change request with Orbit for this.
> What else is needed to move this forward in time for 2019-06?

The Eclipse project expecting to consume the newer Guava, m2e, needs to
file a CQ for this, and it should get marked as mature IP since Guava
21.0 is already shipping in Orbit. From there we could file a bug and
get it into Orbit, and remove the older one(s) from active builds.

Roland Grunberg

Back to the top