This repository has been archived by the owner on Apr 8, 2024. It is now read-only.
Known vulnerability in shared library which spectrum depends on.Can you help upgrade to patch versions? #1842
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi, @lambdapioneer , @cuva , I'd like to report a vulnerability issue in com.facebook.spectrum:spectrum-png:1.3.0.
Issue Description
com.facebook.spectrum:spectrum-png:1.3.0 directly depends on 4 C libraries (.so) cross many platforms(such as x86-64, x86, arm64, armhf). However, I noticed that the shared library is vulnerable, containing the following CVEs:
libspectrumpluginpng.sofrom C project libpng(version:1.6.35) exposed 1 vulnerabilities:CVE-2018-14550
Suggested Vulnerability Patch Versions
libpng has fixed the vulnerabilities in versions >=1.6.37
Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects.
Could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
Helen Parr
The text was updated successfully, but these errors were encountered: