[
https://issues.apache.org/jira/browse/HIVE-24890?focusedWorklogId=567857&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-567857
]
ASF GitHub Bot logged work on HIVE-24890:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 17/Mar/21 17:48
Start Date: 17/Mar/21 17:48
Worklog Time Spent: 10m
Work Description: yongzhi merged pull request #2081:
URL: https://github.com/apache/hive/pull/2081
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 567857)
Time Spent: 20m (was: 10m)
> Upgrade to cron-utils 9.1.3 due to CVE-2020-26238
> -------------------------------------------------
>
> Key: HIVE-24890
> URL: https://issues.apache.org/jira/browse/HIVE-24890
> Project: Hive
> Issue Type: Bug
> Environment: [CVE
> 2020-26238|https://nvd.nist.gov/vuln/detail/CVE-2020-26238]
> Reporter: Abhay
> Assignee: Abhay
> Priority: Major
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Hive is pulling in cron-utils 8.1.1 which is vulnerable to CVE-2020-26238. It
> is assigned a CVSSv3 score of Critical. For reference here is where
> cron-utils is referenced in code:
> *
> [https://github.com/apache/hive/blob/master/standalone-metastore/pom.xml#L107]
> Upgrade cron-utils to 9.1.3 which is not vulnerable to this CVE even if Hive
> is not technically vulnerable.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
