This is an automated email from the ASF dual-hosted git repository. sijie pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push: new 9ad9535 Bump jackson libraries to 2.10.1 (#5758) 9ad9535 is described below commit 9ad95357a9f6005eb38e840424f36e501c885190 Author: Masahiro Sakamoto <massa...@yahoo-corp.jp> AuthorDate: Wed Dec 4 02:45:20 2019 +0900 Bump jackson libraries to 2.10.1 (#5758) Updated jackson libraries to the latest version. There is a security vulnerability in `jackson-databind` currently used by Pulsar. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531 --- distribution/server/licenses/LICENSE-EDL-1.0.txt | 30 ++++++++++++++++++++++++ distribution/server/src/assemble/LICENSE.bin.txt | 22 ++++++++++------- pom.xml | 4 ++-- 3 files changed, 45 insertions(+), 11 deletions(-) diff --git a/distribution/server/licenses/LICENSE-EDL-1.0.txt b/distribution/server/licenses/LICENSE-EDL-1.0.txt new file mode 100644 index 0000000..6118dac --- /dev/null +++ b/distribution/server/licenses/LICENSE-EDL-1.0.txt @@ -0,0 +1,30 @@ +Copyright (c) 2007, Eclipse Foundation, Inc. and its licensors. + +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + + - Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + - Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + - Neither the name of the Eclipse Foundation, Inc. nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS +IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index b08c698..470d05c 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -314,14 +314,14 @@ The Apache Software License, Version 2.0 * Jackson - org.codehaus.jackson-jackson-core-asl-1.9.13.jar - org.codehaus.jackson-jackson-mapper-asl-1.9.13.jar - - com.fasterxml.jackson.core-jackson-annotations-2.9.9.jar - - com.fasterxml.jackson.core-jackson-core-2.9.9.jar - - com.fasterxml.jackson.core-jackson-databind-2.9.9.3.jar - - com.fasterxml.jackson.dataformat-jackson-dataformat-yaml-2.9.9.jar - - com.fasterxml.jackson.jaxrs-jackson-jaxrs-base-2.9.9.jar - - com.fasterxml.jackson.jaxrs-jackson-jaxrs-json-provider-2.9.9.jar - - com.fasterxml.jackson.module-jackson-module-jaxb-annotations-2.9.9.jar - - com.fasterxml.jackson.module-jackson-module-jsonSchema-2.9.9.jar + - com.fasterxml.jackson.core-jackson-annotations-2.10.1.jar + - com.fasterxml.jackson.core-jackson-core-2.10.1.jar + - com.fasterxml.jackson.core-jackson-databind-2.10.1.jar + - com.fasterxml.jackson.dataformat-jackson-dataformat-yaml-2.10.1.jar + - com.fasterxml.jackson.jaxrs-jackson-jaxrs-base-2.10.1.jar + - com.fasterxml.jackson.jaxrs-jackson-jaxrs-json-provider-2.10.1.jar + - com.fasterxml.jackson.module-jackson-module-jaxb-annotations-2.10.1.jar + - com.fasterxml.jackson.module-jackson-module-jsonSchema-2.10.1.jar * Caffeine -- com.github.ben-manes.caffeine-caffeine-2.6.2.jar * Proto Google Common Protos -- com.google.api.grpc-proto-google-common-protos-1.12.0.jar * Gson -- com.google.code.gson-gson-2.8.2.jar @@ -429,7 +429,7 @@ The Apache Software License, Version 2.0 - org.eclipse.jetty.websocket-websocket-common-9.4.20.v20190813.jar - org.eclipse.jetty.websocket-websocket-server-9.4.20.v20190813.jar - org.eclipse.jetty.websocket-websocket-servlet-9.4.20.v20190813.jar - * SnakeYaml -- org.yaml-snakeyaml-1.23.jar + * SnakeYaml -- org.yaml-snakeyaml-1.24.jar * RocksDB - org.rocksdb-rocksdbjni-5.13.3.jar * HttpClient - org.apache.httpcomponents-httpclient-4.5.5.jar @@ -558,6 +558,10 @@ CDDL-1.1 -- licenses/LICENSE-CDDL-1.1.txt - org.glassfish.jersey.inject-jersey-hk2-2.27.jar * Mimepull -- org.jvnet.mimepull-mimepull-1.9.6.jar +Eclipse Distribution License 1.0 -- licenses/LICENSE-EDL-1.0.txt + * Jakarta Activation -- jakarta.activation-jakarta.activation-api-1.2.1.jar + * Jakarta XML Binding -- jakarta.xml.bind-jakarta.xml.bind-api-2.3.2.jar + Eclipse Public License 1.0 -- licenses/LICENSE-AspectJ.txt * AspectJ - org.aspectj-aspectjrt-1.9.2.jar diff --git a/pom.xml b/pom.xml index d73df24..e8dbc7d 100644 --- a/pom.xml +++ b/pom.xml @@ -163,8 +163,8 @@ flexible messaging model and an intuitive client API.</description> <commons.collections.version>3.2.2</commons.collections.version> <log4j2.version>2.10.0</log4j2.version> <bouncycastle.version>1.60</bouncycastle.version> - <jackson.version>2.9.9</jackson.version> - <jackson.databind.version>2.9.9.3</jackson.databind.version> + <jackson.version>2.10.1</jackson.version> + <jackson.databind.version>2.10.1</jackson.databind.version> <reflections.version>0.9.11</reflections.version> <swagger.version>1.5.21</swagger.version> <puppycrawl.checkstyle.version>6.19</puppycrawl.checkstyle.version>