This is an automated email from the ASF dual-hosted git repository. chenhang pushed a commit to branch branch-4.14 in repository https://gitbox.apache.org/repos/asf/bookkeeper.git
commit 1e0c15da16ea171b6bb55f217644b96f1294b6e0 Author: Hang Chen <[email protected]> AuthorDate: Mon Apr 17 11:28:47 2023 +0800 Remove avro, hadoop-auth and jersey-json dependencies from hadoop-common to resolve CVE-2019-10202, CVE-2023-1370 and CVE-2022-45685 (#3911) After upgrading the Hadoop version to 3.3.5, the CVE-2019-10202 still exists. Detailed paths Introduced through: org.apache.distributedlog:[email protected] › org.apache.hadoop:[email protected] › org.apache.avro:[email protected] › org.codehaus.jackson:[email protected] Detailed paths Introduced through: org.apache.distributedlog:[email protected] › org.apache.hadoop:[email protected] › org.apache.hadoop:[email protected] › net.minidev:[email protected] Fix: No remediation path available. Detailed paths Introduced through: org.apache.distributedlog:[email protected] › org.apache.hadoop:[email protected] › com.github.pjfanning:[email protected] › org.codehaus.jettison:[email protected] Fix: No remediation path available. After checking the code of package `org.apache.distributedlog.fs`, those classes only use `org.apache.hadoop.conf`, `org.apache.hadoop.fs` and `org.apache.hadoop.util` packages. They don't use any Avro-related, json-smart and jersey-json dependencies. It is safe to remove the those dependencies to resolve the CVE issue. https://github.com/apache/bookkeeper/tree/master/stream/distributedlog/io/dlfs/src/main/java/org/apache/distributedlog/fs Exclude the Avro dependency from `hadoop-common` (cherry picked from commit 94e15b3dc0286de1dda1bd3989fd8b9de12e8d05) --- stream/distributedlog/io/dlfs/pom.xml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/stream/distributedlog/io/dlfs/pom.xml b/stream/distributedlog/io/dlfs/pom.xml index c216bf3e18..6689e107d5 100644 --- a/stream/distributedlog/io/dlfs/pom.xml +++ b/stream/distributedlog/io/dlfs/pom.xml @@ -50,6 +50,26 @@ <groupId>com.google.guava</groupId> <artifactId>guava</artifactId> </exclusion> + <exclusion> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-log4j12</artifactId> + </exclusion> + <exclusion> + <groupId>log4j</groupId> + <artifactId>log4j</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.avro</groupId> + <artifactId>avro</artifactId> + </exclusion> + <exclusion> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </exclusion> + <exclusion> + <groupId>com.github.pjfanning</groupId> + <artifactId>jersey-json</artifactId> + </exclusion> </exclusions> </dependency> <dependency>
