Hi everyone,
We did not actually have to wait long for the first CVE on Jena 3.17 (current version on Lyo 4.1.0-SNAPSHOT), see below. We will try to fix it by having
a dependencyManagement entry for org.apache.thrift:libthrift at 0.14.0 but it’s only a matter of time this approach will fail, and we will be forced to migrate to Jena 4.0 and drop JDK 8 support from the current version of Lyo.
–Andrew.
From:
Snyk bot <notifications@xxxxxxxxxx>
Date: Tuesday, 6 April 2021, W14 at 23:10
To: eclipse/lyo <lyo@xxxxxxxxxxxxxxxxxx>
Cc: Subscribed <subscribed@xxxxxxxxxxxxxxxxxx>
Subject: [eclipse/lyo] [Snyk] Security upgrade org.apache.jena:apache-jena-libs from 3.17.0 to 4.0.0 (#97)
Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.
Changes included in this PR
-
Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
Vulnerabilities that will be fixed
With an upgrade:
Severity
|
Priority Score (*)
|
Issue
|
Upgrade
|
Breaking Change
|
Exploit Maturity
|
|
589/1000
Why? Has a fix available, CVSS 7.5
|
Denial of Service (DoS)
SNYK-JAVA-ORGAPACHETHRIFT-1074898
|
org.apache.jena:apache-jena-libs:
3.17.0 -> 4.0.0
|
Yes
|
No Known Exploit
|
(*) Note that the real score may have changed since the PR was raised.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐
View latest project report
🛠
Adjust project settings
📚
Read more about Snyk's upgrade and patch logic
You can view, comment on, or merge this pull request online at:
https://github.com/eclipse/lyo/pull/97
Commit Summary
-
fix: pom.xml to reduce vulnerabilities
File Changes
Patch Links:
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or
unsubscribe.