[
https://issues.apache.org/jira/browse/RANGER-4038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17901928#comment-17901928
]
AlexVazquez commented on RANGER-4038:
-------------------------------------
Hi [~hmaurya] , [~bpatel] , [~pradeep] , [~madhan] , [~ferarribas] ,
These past months, I've been working on adapting a version of Ranger to use
Spring 6. This change has required me to update the following libs:
- Java 11 -> 17
- Javax -> Jakarta
- Spring framework 5.7.12 -> 6.0.0
- Jersey 1.19 -> 3.0.16
- Tomcat embed 8.5.94 -> 10.1.31
- EclipseLink 2.7.12 -> 3.0.4
Currently, the project compile and run Ranger Servers (admin, user-sync and
tagsync) but there are some modules with failing unit tests
[~ferarribas] , I've created two shaded jars using Apache Jakarta Migration
Tool for the two Hadoop libs that conflict with Jakarta. This workaround
allowed me to bypass the issue with Hadoop's transitive dependencies. A better
solution could be to include the Maven-Shaded plugin in Hadoop project itself,
so the shading will be automacally, allowing te artifact to be downloaded from
Maven using a classifier. I choose the first solution becayse it was quicker
for me. [~hmaurya] , whar do you think about this workaround?
I leave this draft PR ( [https://github.com/apache/ranger/pull/419] ) in case
you want or can review my work, as I don’t have full knowledge of the project
and java skills are not the strongest, I’m sure I’ve missed many potential
issues that might rise. I understand this is a very ambitious step, but I
personally believe it could be a good opportunity for all of us to push this
change forward together.
> Upgrade spring framework and spring security versions
> -----------------------------------------------------
>
> Key: RANGER-4038
> URL: https://issues.apache.org/jira/browse/RANGER-4038
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Himanshu Maurya
> Assignee: Himanshu Maurya
> Priority: Major
>
> Pivotal Spring Framework up to (excluding) 6.0.0 suffers from a potential
> remote code execution (RCE) issue if used for Java deserialization of
> untrusted data. Depending on how the library is implemented within a product,
> this issue may or not occur, and authentication may be required.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
