https://bugzilla.redhat.com/show_bug.cgi?id=1937440
--- Comment #24 from Todd Cullum <tcullum(a)redhat.com> ---
Statement:
OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8
container does contain a vulnerable version of velocity. The references to the
library only occur in the x-pack component which is an enterprise-only feature
of Elasticsearch - hence it has been marked as wontfix as this time and may be
fixed in a future release. Additionally the hive container only references
velocity in the testutils of the code but the code still exists in the
container, as such it has been given a Moderate impact.
* Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because
it does not contain the vulnerable code.
* Velocity as shipped with Red Hat Enterprise Linux 7 contains a vulnerable
version, but it is used as a dependency for IdM/ipa, which does not use the
vulnerable functionality. It has been marked as Moderate for this reason.
* Although velocity shipped in Red Hat Enterprise Linux 8's pki-deps:10.6 for
IdM/ipa is a vulnerable version, the vulnerable code is not used by pki. It has
been marked as Low for this reason.
--
You are receiving this mail because:
You are on the CC list for the bug.