BigDL-core icon indicating copy to clipboard operation
BigDL-core copied to clipboard

Published 20 hours ago verified publisher icon intel-analytics

[Vulnerable] upgrade opencv

Open Le-Zheng opened this issue 2 years ago • 3 comments

Issue Description com.intel.analytics.bigdl:bigdl directly or transitively depends on 11 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:

libopencv_java320.sofrom C project opencv(version:3.2.0) exposed 18 vulnerabilities: CVE-2019-15939, CVE-2019-14491, CVE-2019-14493, CVE-2019-14492, CVE-2017-1000450, CVE-2017-12863, CVE-2017-12862, CVE-2017-12864, CVE-2017-12604, CVE-2017-12597, CVE-2017-12606, CVE-2017-12605, CVE-2017-12598, CVE-2017-12600, CVE-2017-12599, CVE-2017-12602, CVE-2017-12601, CVE-2017-12603

Solution Possible steps:

  1. install opencv 4.2.0 wget https://github.com/opencv/opencv/archive/4.2.0.tar.gz on release environment
  2. replace dependency in pom.xml https://github.com/intel-analytics/BigDL-core/blob/master/opencv/opencv-java-x86_64-linux/pom.xml#L17-L20
  3. compile and mvn test UT
  4. release bigdl-core 2.1.0-snapshot
  5. Update bigdl-core version in BigDL-dllib. Finish the whole BigDL jenkins test

Release on mac when mac machine is recovered.

Le-Zheng avatar Apr 28 '22 05:04 Le-Zheng

do we need to release bigdl-core 2.0.1 which will be used by bigdl 2.0.1?

glorysdj avatar Apr 28 '22 05:04 glorysdj

do we need to release bigdl-core 2.0.1 which will be used by bigdl 2.0.1?

Ok. We will plan it.

Le-Zheng avatar Apr 28 '22 05:04 Le-Zheng

Fix in https://github.com/intel-analytics/BigDL-core/pull/158

Le-Zheng avatar May 11 '22 00:05 Le-Zheng