[
https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16095870#comment-16095870
]
Attila Simon commented on FLUME-3131:
-------------------------------------
Hi [~fszabo],
In general I'm fine with any approach which getting us closer to the state that
flume is not vulnerable based on our understanding.
Indeed it looks like test only. But having a closer look it seems like that
activemq (parent dependency of geronimo) also falls into the same category. I
would also consider update the version of the activemq in case it still passes
testing and doesn't bring in undesired dependencies transitively. (This in turn
might help resolving this ticket by either removing the spring dependency
completely or pulling in a "better" one)
{noformat}
⏚ [~/ws/apache/flume] trunk ± ag activemq *
flume-ng-doc/sphinx/FlumeUserGuide.rst
932:application it should work with any JMS provider but has only been tested
with ActiveMQ.
945:**initialContextFactory** -- Inital Context Factory, e.g:
org.apache.activemq.jndi.ActiveMQInitialContextFactory
994: a1.sources.r1.initialContextFactory =
org.apache.activemq.jndi.ActiveMQInitialContextFactory
flume-ng-sources/flume-jms-source/pom.xml
74: <groupId>org.apache.activemq</groupId>
75: <artifactId>activemq-core</artifactId>
flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestIntegrationActiveMQ.java
37:import org.apache.activemq.ActiveMQConnectionFactory;
38:import org.apache.activemq.broker.BrokerPlugin;
39:import org.apache.activemq.broker.BrokerService;
40:import org.apache.activemq.security.AuthenticationUser;
41:import org.apache.activemq.security.SimpleAuthenticationPlugin;
57:public class TestIntegrationActiveMQ {
60: "org.apache.activemq.jndi.ActiveMQInitialContextFactory";
65: // specific for dynamic queues on ActiveMq
133: ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
154: ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
pom.xml
1081: <groupId>org.apache.activemq</groupId>
1082: <artifactId>activemq-core</artifactId>
{noformat}
> Upgrade spring framework library dependencies
> ---------------------------------------------
>
> Key: FLUME-3131
> URL: https://issues.apache.org/jira/browse/FLUME-3131
> Project: Flume
> Issue Type: Bug
> Affects Versions: 1.7.0
> Reporter: Attila Simon
> Assignee: Ferenc Szabo
> Priority: Critical
> Labels: dependency
> Fix For: 1.8.0
>
> Attachments: FLUME-3131.patch
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,|
> Security vulnerability:
> https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html
> Maven repositories:
> - https://mvnrepository.com/artifact/org.springframework/spring-aop
> - https://mvnrepository.com/artifact/org.springframework/spring-context
> - https://mvnrepository.com/artifact/org.springframework/spring-core
> Please do:
> - CVE might be a false alarm or mistake. Please double check.
> - double check the newest version.
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in
> which case please add this label `breaking_change` and fix version should be
> the next major)
> Excerpt from mvn dependency:tree
> {noformat}
> org.apache.flume.flume-ng-sources:flume-jms-source:jar:1.8.0-SNAPSHOT
> \- org.apache.activemq:activemq-core:jar:5.7.0:provided
> +- org.springframework:spring-context:jar:3.0.7.RELEASE:provided
> | +- org.springframework:spring-aop:jar:3.0.7.RELEASE:provided
> | +- org.springframework:spring-beans:jar:3.0.7.RELEASE:provided
> | +- org.springframework:spring-core:jar:3.0.7.RELEASE:provided
> | +- org.springframework:spring-expression:jar:3.0.7.RELEASE:provided
> | \- org.springframework:spring-asm:jar:3.0.7.RELEASE:provided
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
