massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities URL: https://github.com/apache/pulsar/pull/3938 ### Motivation The Pulsar distribution includes some third-party libraries with security vulnerabilities. - jackson-databind-2.9.7 - https://nvd.nist.gov/vuln/detail/CVE-2018-19360 - https://nvd.nist.gov/vuln/detail/CVE-2018-19361 - https://nvd.nist.gov/vuln/detail/CVE-2018-19362 - commons-beanutils-1.7.0, commons-beanutils-core-1.8.0 - https://nvd.nist.gov/vuln/detail/CVE-2014-0114 ### Modifications - Upgraded jackson related libraries to 2.9.8. The jackson used in pulsar-sql can not be upgraded to 2.9.x, so upgraded `jackson-databind` to [2.8.11.3](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.8) (cf. #2978). - Upgraded the version of `commons-configuration` from 1.6 to 1.10. `commons-beanutils` and `commons-beanutils-core` were installed because `commons-configuration-1.6` depends on these, but these dependencies are optional in `commons-configuration-1.10`. ### Verifying this change - [ ] Make sure that the change passes the CI checks.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
