Potential secutiry vulnerabilities in the shared libraries which jctp depends on.

[HelenParr]

Hi, @RationalityFrontline , I'd like to report a vulnerability issue in org.rationalityfrontline:jctp:6.3.19-1.0.0.

Issue Description

org.rationalityfrontline:jctp:6.3.19-1.0.0 depends on 3 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:

libthosttraderapi_se.so from C project openssl(version:1.1.0d) exposed 5 vulnerabilities: CVE-2019-1543, CVE-2018-0735, CVE-2017-3738, CVE-2017-3733, CVE-2019-1552

Suggested Vulnerability Patch Versions

openssl( has fixed the vulnerabilities in versions >=1.1.1l

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Helen Parr

[RationalityFrontline]

I don't have source code of libthosttraderapi_se, the library belongs to project CTP, which is a closed source project developed by Shanghai Futures Information Technology Co.,Ltd. I can only download the library binaries from their website. So I don't have any idea of how to fix the issue. Do you have any suggestions?