Skip to content

celeborn-0.6/0.6.1-r0: cve remediation#69882

Closed
octo-sts[bot] wants to merge 1 commit into
mainfrom
cve-celeborn-0.6-0.6.1-r0-2dc69909bb02fd4021f9e96b24a6a4f1
Closed

celeborn-0.6/0.6.1-r0: cve remediation#69882
octo-sts[bot] wants to merge 1 commit into
mainfrom
cve-celeborn-0.6-0.6.1-r0-2dc69909bb02fd4021f9e96b24a6a4f1

celeborn-0.6/0.6.1-r0: fix GHSA-prj3-ccx8-p6x4

47c34ad
Select commit
Loading
Failed to load commit list.
Octo STS / ci-cve-scan failed Oct 23, 2025 in 39s

CVE scan report (mode: must-fix)

CVE scan report (mode: must-fix)

Details

CVE Scan Results (mode: must-fix)

⚠️ Must-Fix CVEs Found

The following CVEs were marked as must-fix in the PR body:

  • GHSA-prj3-ccx8-p6x4 (found in: aarch64/celeborn-0.6-0.6.1-r1.apk, x86_64/celeborn-0.6-0.6.1-r1.apk)

This check will fail until these CVEs are resolved.

aarch64/celeborn-0.6-0.6.1-r1.apk

├── 📄 /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar
│       📦 commons-lang3 3.17.0 (java-archive)
│           Medium CVE-2025-48924 GHSA-j288-q9x7-2f5v fixed in 3.18.0
│       📦 jackson-core 2.12.7 (java-archive)
│           High CVE-2025-52999 GHSA-h46c-h94j-95f3 fixed in 2.15.0
│           Medium CVE-2025-49128 GHSA-wf8f-6423-gfxg fixed in 2.13.0
│       📦 jetty-http 9.4.57.v20241219 (java-archive)
│           Medium CVE-2024-6763 GHSA-qh8g-58pp-2wxh fixed in 12.0.12
│       📦 nimbus-jose-jwt 9.37.2 (java-archive)
│           Medium CVE-2025-53864 GHSA-xwmg-2g98-w7v9 fixed in 9.37.4
├── 📄 /usr/share/java/celeborn/jars/jetty-http-9.4.58.v20250814.jar
│       📦 jetty-http 9.4.58.v20250814 (java-archive)
│           Medium CVE-2024-6763 GHSA-qh8g-58pp-2wxh fixed in 12.0.12
└── 📄 /usr/share/java/celeborn/jars/ratis-thirdparty-misc-1.0.9.jar
        📦 netty-codec 4.1.119.Final (java-archive)
            Medium CVE-2025-58057 GHSA-3p8m-j85q-pgmj fixed in 4.1.125.Final
        📦 netty-codec-http 4.1.119.Final (java-archive)
            Low CVE-2025-58056 GHSA-fghv-69vj-qj49 fixed in 4.1.125.Final
        📦 netty-codec-http2 4.1.119.Final (java-archive)
            High CVE-2025-55163 GHSA-prj3-ccx8-p6x4 fixed in 4.1.124.Final

aarch64/celeborn-0.6-compat-0.6.1-r1.apk

✅ No vulnerabilities found

x86_64/celeborn-0.6-0.6.1-r1.apk

├── 📄 /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar
│       📦 commons-lang3 3.17.0 (java-archive)
│           Medium CVE-2025-48924 GHSA-j288-q9x7-2f5v fixed in 3.18.0
│       📦 jackson-core 2.12.7 (java-archive)
│           High CVE-2025-52999 GHSA-h46c-h94j-95f3 fixed in 2.15.0
│           Medium CVE-2025-49128 GHSA-wf8f-6423-gfxg fixed in 2.13.0
│       📦 jetty-http 9.4.57.v20241219 (java-archive)
│           Medium CVE-2024-6763 GHSA-qh8g-58pp-2wxh fixed in 12.0.12
│       📦 nimbus-jose-jwt 9.37.2 (java-archive)
│           Medium CVE-2025-53864 GHSA-xwmg-2g98-w7v9 fixed in 9.37.4
├── 📄 /usr/share/java/celeborn/jars/jetty-http-9.4.58.v20250814.jar
│       📦 jetty-http 9.4.58.v20250814 (java-archive)
│           Medium CVE-2024-6763 GHSA-qh8g-58pp-2wxh fixed in 12.0.12
└── 📄 /usr/share/java/celeborn/jars/ratis-thirdparty-misc-1.0.9.jar
        📦 netty-codec 4.1.119.Final (java-archive)
            Medium CVE-2025-58057 GHSA-3p8m-j85q-pgmj fixed in 4.1.125.Final
        📦 netty-codec-http 4.1.119.Final (java-archive)
            Low CVE-2025-58056 GHSA-fghv-69vj-qj49 fixed in 4.1.125.Final
        📦 netty-codec-http2 4.1.119.Final (java-archive)
            High CVE-2025-55163 GHSA-prj3-ccx8-p6x4 fixed in 4.1.124.Final

x86_64/celeborn-0.6-compat-0.6.1-r1.apk

✅ No vulnerabilities found