Hi, @kaikreuzer , @laverman , I'd like to report a vulnerability issue in org.eclipse.hawkbit:hawkbit-update-server-azure:0.3.0M7.
Issue Description
org.eclipse.hawkbit:hawkbit-update-server-azure:0.3.0M7 directly or transitively depends on 28 C libraries (.so) cross many platforms(such as ppc64, aarch64, amd64, i386, mips64). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
llibzstd-jni.so from C project zstd(version:1.4.4) exposed 1 vulnerabilities:
CVE-2021-24032liblz4-java.so from C project lz4(version:1.9.1) exposed 1 vulnerabilities:
CVE-2019-17543
Suggested Vulnerability Patch Versions
zstd has fixed the vulnerabilities in versions >=1.4.9lz4 has fixed the vulnerabilities in versions >=1.9.2
Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects.
Could you please upgrade the above shared libraries to their patch versions?
Hi, @kaikreuzer , @laverman , I'd like to report a vulnerability issue in org.eclipse.hawkbit:hawkbit-update-server-azure:0.3.0M7.
Issue Description
org.eclipse.hawkbit:hawkbit-update-server-azure:0.3.0M7 directly or transitively depends on 28 C libraries (.so) cross many platforms(such as ppc64, aarch64, amd64, i386, mips64). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
llibzstd-jni.sofrom C project zstd(version:1.4.4) exposed 1 vulnerabilities: CVE-2021-24032liblz4-java.sofrom C project lz4(version:1.9.1) exposed 1 vulnerabilities: CVE-2019-17543Suggested Vulnerability Patch Versions
zstd has fixed the vulnerabilities in versions >=1.4.9 lz4 has fixed the vulnerabilities in versions >=1.9.2
Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, Helen Parr