amazon-kinesis-producer icon indicating copy to clipboard operation
amazon-kinesis-producer copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Old-old-old version of protobuf

Open HunterSherms opened this issue 6 years ago • 4 comments

KPL uses

<dependency>
            <groupId>com.google.protobuf</groupId>
            <artifactId>protobuf-java</artifactId>
            <version>2.6.1</version>
</dependency>

Which is the version from Oct 22, 2014

Anyone using the newer versions (or anything from the last few years) in their projects is going to have some dependency issues with the KPL.

HunterSherms avatar Sep 05 '18 19:09 HunterSherms

Needs protobuf upgraded to remove CVE. https://nvd.nist.gov/vuln/detail/CVE-2015-5237

enfcyco avatar Jan 18 '19 16:01 enfcyco

Are there plans to update to a newer protobuf-java version? The CVE is tripping up our security scans.

john2x avatar Jul 29 '19 04:07 john2x

This library also pulls in (through core) versions of Jackson and Guava with security issues. It really needs it's dependencies upgraded.

ryber avatar Jul 04 '20 21:07 ryber

Change pending release - https://github.com/awslabs/amazon-kinesis-producer/pull/298/files

ashwing avatar Jul 25 '20 00:07 ashwing