Re: [cross-project-issues-dev] [Bug 547338] Update to guava 24.1.1+ (fix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cross-project-issues-dev] [Bug 547338] Update to guava 24.1.1+ (fix CVE-2018-10237)

From: Ed Merks <ed.merks@xxxxxxxxx>
Date: Thu, 16 May 2019 07:19:13 +0200
Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/cross-project-issues-dev>
List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1

This affects quite a few projects (Xtext comes to mind) and we know from past experience that shipping multiple versions of a library that's mostly resolved using package requirements (rather than bundle requirements) can result in problematic wiring resolutions. So generally we've tried to ensure that there is only one version of such a bundle in the release train repo. This seems to suggest that all projects contributing to the release train (and contributing Guava) all ought to use/contribute the same version of Guava and should all test that this works (or even compiles for that matter because Guava has a history of deleting things).

Xtext's releases don't totally line up with those of the release train, so certainly a general move requiring all projects that contribute Guava to the release train all moving to a new version seems problematic; I think Xtext would need to plan a new release for this. And this seems like short notice to me...

On 15.05.2019 21:38, Homer, Tony wrote:

Thanks to Fred Bricon who suggested that I contact this list:

>>Usually, guava versions need to be aligned across all Eclipse projects, so you might want to raise the issue in the cross-projects ML

My team builds an Eclipse product which includes m2e.

Our company policy requires us to scan for CVEs and we found several affecting m2e, including CVE-2018-10237, which m2e is exposed to via dependence on a vulnerable version of guava.

m2e is currently using 21.0.0 which is the latest which is currently available in Orbit.

The CVE is fixed starting with guava 24.1.1.

The latest guava release is 27.1.

In order to work around this issue, my team forked m2e locally and updated our fork to use guava 27.0.1 (as mentioned in Bug 547338).

I’d like to add guava 27.0.1 or 27.1 (pending compatibility investigation) to orbit so that eclipse projects can switch to a guava that is not vulnerable to any published CVEs.

I plan to open a change request with Orbit for this.

What else is needed to move this forward in time for 2019-06?
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

Follow-Ups:
- Re: [cross-project-issues-dev] [Bug 547338] Update to guava 24.1.1+(fix CVE-2018-10237)
  - From: Christian Dietrich

References:
- [cross-project-issues-dev] [Bug 547338] Update to guava 24.1.1+ (fix CVE-2018-10237)
  - From: Homer, Tony

Prev by Date: Re: [cross-project-issues-dev] [Bug 547338] Update to guava 24.1.1+ (fix CVE-2018-10237)
Next by Date: Re: [cross-project-issues-dev] [Bug 547338] Update to guava 24.1.1+(fix CVE-2018-10237)
Previous by thread: Re: [cross-project-issues-dev] [Bug 547338] Update to guava 24.1.1+ (fix CVE-2018-10237)
Next by thread: Re: [cross-project-issues-dev] [Bug 547338] Update to guava 24.1.1+(fix CVE-2018-10237)
Index(es):
- Date
- Thread

Breadcrumbs