gamioo Known vulnerabilities in shared library zstd which gamioo-compress depends on.Can you help upgrade to patch versions?

Known vulnerabilities in shared library zstd which gamioo-compress depends on.Can you help upgrade to patch versions?

Open HelenParr opened this issue 2 years ago • 0 comments

Hi, @jiangguilong2000 , I'd like to report a vulnerability issue in io.gamioo:gamioo-compress:0.2.9.

Issue Description

I noticed that io.gamioo:gamioo-compress:0.2.9 directly depends on com.github.luben:zstd-jni:v1.4.5-6 in the pom. However, as shown in the following dependency graph, com.github.luben:zstd-jni:v1.4.5-6 sufferes from the vulnerability which the C library zstd(version:1.4.5) exposed: CVE-2021-24032.

Dependency Graph between Java and Shared Libraries

image (12)

Suggested Vulnerability Patch Versions

com.github.luben:zstd-jni:v1.4.9-1 (>=v1.4.9-1) has upgraded this vulnerable C library zstd to the patch version 1.4.9.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?

Thanks for your help~ Best regards, Helen Parr

Apr 13 '22 13:04 HelenParr

gamioo gamioo copied to clipboard

Known vulnerabilities in shared library zstd which gamioo-compress depends on.Can you help upgrade to patch versions?

Issue Description

Dependency Graph between Java and Shared Libraries

Suggested Vulnerability Patch Versions

gamioo
gamioo copied to clipboard