There is a vulnerability in Guava: Google Core Libraries for Java 24.1.1-jre,upgrade recommended

google / myanmar-tools

Detect and convert the Zawgyi-One font encoding in C++, Java, JavaScript, PHP, and Ruby

Other

239 stars 87 forks source link

There is a vulnerability in Guava: Google Core Libraries for Java 24.1.1-jre,upgrade recommended #67

Open QiAnXinCodeSafe opened 3 years ago

QiAnXinCodeSafe commented 3 years ago

https://github.com/google/myanmar-tools/blob/adc4db24df0d77abe0b84536892f14d00151eb0c/genconvert/pom.xml#L30

CVE-2020-8908 Recommended upgrade version： 30.0-jre

sffc commented 3 years ago

The genconvert project runs offline in a controlled environment. Previously when I've tried upgrading Guava, there have been backwards-incompatible changes, particularly with the required Java version. I don't want to mess with genconvert unnecessarily, but next time someone tries running the tool, thet can consider bumping the Guava version.