This is an automated email from the ASF dual-hosted git repository. stevel pushed a commit to branch branch-3.3 in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-3.3 by this push: new 456cb0085fc6 YARN-11498. Add exclusion for jettison everywhere jersey-json is loaded (#5786) 456cb0085fc6 is described below commit 456cb0085fc6b5579a6586829b12578d0de190fc Author: PJ Fanning <pjfann...@users.noreply.github.com> AuthorDate: Thu Dec 7 19:24:46 2023 +0100 YARN-11498. Add exclusion for jettison everywhere jersey-json is loaded (#5786) All uses of jersey-json in the yarn and other hadoop modules now exclude the obsolete org.codehaus.jettison/jettison and so avoid all security issues which can come from the library. Contributed by PJ Fanning --- hadoop-client-modules/hadoop-client-minicluster/pom.xml | 4 ++++ hadoop-client-modules/hadoop-client-runtime/pom.xml | 2 ++ hadoop-common-project/hadoop-common/pom.xml | 12 ++++++++++++ hadoop-project/pom.xml | 4 ++++ hadoop-tools/hadoop-resourceestimator/pom.xml | 4 ++++ .../hadoop-yarn-applications-catalog-webapp/pom.xml | 4 ++++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml | 4 ++++ .../hadoop-yarn-server-applicationhistoryservice/pom.xml | 4 ++++ .../hadoop-yarn-server-nodemanager/pom.xml | 4 ++++ .../hadoop-yarn-server-resourcemanager/pom.xml | 4 ++++ 10 files changed, 46 insertions(+) diff --git a/hadoop-client-modules/hadoop-client-minicluster/pom.xml b/hadoop-client-modules/hadoop-client-minicluster/pom.xml index 67e3a8b1b183..49a1c86b2452 100644 --- a/hadoop-client-modules/hadoop-client-minicluster/pom.xml +++ b/hadoop-client-modules/hadoop-client-minicluster/pom.xml @@ -443,6 +443,10 @@ <groupId>javax.xml.bind</groupId> <artifactId>jaxb-api</artifactId> </exclusion> + <exclusion> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/hadoop-client-modules/hadoop-client-runtime/pom.xml b/hadoop-client-modules/hadoop-client-runtime/pom.xml index 78153c1f0728..99f1dad19ebb 100644 --- a/hadoop-client-modules/hadoop-client-runtime/pom.xml +++ b/hadoop-client-modules/hadoop-client-runtime/pom.xml @@ -165,6 +165,8 @@ <exclude>org.xerial.snappy:*</exclude> <!-- leave out kotlin classes --> <exclude>org.jetbrains.kotlin:*</exclude> + <!-- exclude jettison classes --> + <exclude>org.codehaus.jettison:jettison:*</exclude> </excludes> </artifactSet> <filters> diff --git a/hadoop-common-project/hadoop-common/pom.xml b/hadoop-common-project/hadoop-common/pom.xml index 7e0367bd2b31..6f27b8a0be0c 100644 --- a/hadoop-common-project/hadoop-common/pom.xml +++ b/hadoop-common-project/hadoop-common/pom.xml @@ -173,8 +173,20 @@ <groupId>com.fasterxml.jackson.jaxrs</groupId> <artifactId>jackson-jaxrs-json-provider</artifactId> </exclusion> + <exclusion> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </exclusion> </exclusions> </dependency> + <dependency> + <!-- + adding jettison as direct dependency (as jersey-json's jettison dependency is vulnerable with verison 1.1), + so those who depends on hadoop-common externally will get the non-vulnerable jettison + --> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </dependency> <dependency> <groupId>com.sun.jersey</groupId> <artifactId>jersey-server</artifactId> diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml index c43f846331bb..9ca9ca29f3c9 100644 --- a/hadoop-project/pom.xml +++ b/hadoop-project/pom.xml @@ -910,6 +910,10 @@ <groupId>com.fasterxml.jackson.jaxrs</groupId> <artifactId>jackson-jaxrs-json-provider</artifactId> </exclusion> + <exclusion> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/hadoop-tools/hadoop-resourceestimator/pom.xml b/hadoop-tools/hadoop-resourceestimator/pom.xml index bc5d2a072296..32bc012852ff 100644 --- a/hadoop-tools/hadoop-resourceestimator/pom.xml +++ b/hadoop-tools/hadoop-resourceestimator/pom.xml @@ -94,6 +94,10 @@ <groupId>com.fasterxml.jackson.jaxrs</groupId> <artifactId>jackson-jaxrs-json-provider</artifactId> </exclusion> + <exclusion> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/pom.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/pom.xml index 154f19004bda..622c039301e0 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/pom.xml +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/pom.xml @@ -107,6 +107,10 @@ <groupId>com.fasterxml.jackson.jaxrs</groupId> <artifactId>jackson-jaxrs-json-provider</artifactId> </exclusion> + <exclusion> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </exclusion> </exclusions> </dependency> diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml index 7560fdad8669..0ace9a734d1c 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml @@ -172,6 +172,10 @@ <groupId>com.fasterxml.jackson.jaxrs</groupId> <artifactId>jackson-jaxrs-json-provider</artifactId> </exclusion> + <exclusion> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/pom.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/pom.xml index 046132f0c0aa..732274eecd09 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/pom.xml +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/pom.xml @@ -107,6 +107,10 @@ <groupId>com.fasterxml.jackson.jaxrs</groupId> <artifactId>jackson-jaxrs-json-provider</artifactId> </exclusion> + <exclusion> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/pom.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/pom.xml index a13cd63ae84c..9b26c84ba136 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/pom.xml +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/pom.xml @@ -161,6 +161,10 @@ <groupId>com.fasterxml.jackson.jaxrs</groupId> <artifactId>jackson-jaxrs-json-provider</artifactId> </exclusion> + <exclusion> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/pom.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/pom.xml index 190463d84aa1..0ef0977e0648 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/pom.xml +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/pom.xml @@ -123,6 +123,10 @@ <groupId>com.fasterxml.jackson.jaxrs</groupId> <artifactId>jackson-jaxrs-json-provider</artifactId> </exclusion> + <exclusion> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </exclusion> </exclusions> </dependency> <dependency> --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org