Open HelenParr opened 2 years ago
Hello there @HelenParr
I’m sorry you never got any response. Sadly, my uncle, @lolocohen left us in 2022. We tried getting access to the project, but GitHub couldn’t respond to our demand and we were never able to make an announcement.
As JPPF was important to him, we would have loved for it to find a new maintainer. Feel free to fork it an make it your own if you wish
Best regards Timothée
Oh!
I am so sorry to hear that. Am am very sorry for your loss. We still use JPPF in our jobs for distributed calculations.
Hope you can gain access to github but also to the domain jppf.org. It would be nice to have jppf.org working again. If you need some help for it, just send me a message.
Thanks @borisklug
jppf.org is still reserved, I’ll try contacting the hoster and see if they can do something. Getting the complete host back would be best as we don’t have any save of the website. Looking back at it now, I remember it was me who recommended that hoster to him…
As for GitHub, we could try again, but I doubt it’ll change anything. And I don’t think I know anyone working there.
Hi, @lolocohen, I'd like to report a vulnerability issue in org.jppf:jppf-common:6.3-alpha.
Issue Description
I noticed that org.jppf:jppf-common:6.3-alpha directly depends on org.lz4:lz4-java:1.6.0. As shown in the following dependency graph. However, org.lz4:lz4-java:1.6.0 sufferes from the vulnerability which the C library lz4(version:1.9.1) exposed, containing a high severity CVE: CVE-2019-17543.
Dependency Graph between Java and Shared Libraries
Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Java code. For instance, the following LZ4-JNI interfaces(Java code):
LZ4JNIFastDecompressor::decompress()
,LZ4JNISafeDecompressor::decompress()
,LZ4JNICompressor::compress()
can reach the vulnerable method(C code)LZ4_write32()
reported by CVE-2019-17543.Suggested Vulnerability Patch Versions
org.lz4:lz4-java:1.7.0 (>=1.7.0) has upgraded this vulnerable C library
lz4
to the patch version 1.9.2.Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?
Thanks for your help~ Best regards, Helen Parr