ongdb version 3.6.2 and the latest 1.0.0 release use third party libraries with high security vulnerabilities

[KbGr99]

we are using ongdb version 3.6.2. This release, and also the latest release 1.0.0, use third party libraries with high security vulnerabilities:

1. 'shiro-core-1.6.0' is marked with this high vulnerability:

   • CVE-2021-41303

   'shiro-core' need to be upgraded to version 'shiro-core:1.8.0'

2. 'netty-all-4.1.43.Final' is marked with these high vulnerabilities:

   • CVE-2020-7238
   • CVE-2020-11612
   • CVE-2019-20445
   • CVE-2021-37136
   • CVE-2021-37137
   • CVE-2019-20444

   'netty-all' need to be upgraded to version 'netty-all-4.1.73.Final'

3. 'netty-3.9.9.Final' is marked with this high vulnerability:

   • CVE-2019-20444

[graphfoundationadmin]

@KbGr99 Shiro has been upgraded to 1.8.0 and will be in the 1.0.1 release. See 2e597a5.

Netty upgrades require more investigation but will try to get that into 1.0.1.

[dangolbeeker]

Following....

[bradnussbaum]

The upcoming ONgDB 1.0.3 release will contain the fixes for many security vulnerabilities:

These fixes have been merged into the 1.0 branch currently.

[gnanderson]

Hi there,

Trivvy scanner picked up a few more netty vulns in the 1.0.3 image:

graphfoundation/docker-ongdb-publish#7

[crazyyanchao]

这是来自QQ邮箱的假期自动回复邮件。你好，我最近正在休假中，无法亲自回复你的邮件。我将在假期结束后，尽快给你回复。