apanicker-nflx
commented
4 years ago @rickfish Thank you very much for reporting this vulnerability. We can definitely test this out and make the change in a future release if testing is successful.
Closed rickfish closed 3 years ago
apanicker-nflx
commented
4 years ago @rickfish Thank you very much for reporting this vulnerability. We can definitely test this out and make the change in a future release if testing is successful.
rickfish
commented
4 years ago @apanicker-nflx, I hate to be a pest but also jackson-databind v2.9.5 has vulnerabilities. The version specified in versionsOfDependencies is fine at 2.10.0 but nebula.netflixoss v5.1.1 has a dependency on 2.9.5. nebula.netflixoss v8.4.1 is the earliest that has no vulnerabilities as 8.4.0 and earlier do. 8.6.0 is the latest.
apanicker-nflx
commented
4 years ago Thanks for reporting this. We will try to prioritize this change into a future release.
github-actions[bot]
commented
3 years ago This issue is stale, because it has been open for 45 days with no activity. Remove the stale label or comment, or this will be closed in 7 days.
github-actions[bot]
commented
3 years ago This issue was closed, because it has been stalled for 7 days with no activity.
Our security team has blacklisted the xstream dependency that exists in eureka-client that conductor-client depends on. They blacklisted it because it has known security vulnerabilities. We can exclude it from our build because we are not deployed on AWS but others that use AWS will face this issue.
We can't test eureka-client 1.9.18 which has the latest xtream (1.14.11) that has no known vulnerabilities because we do not use AWS, so we can't make the dependency change.
Can someone else do that?