[jira] [Created] (ARROW-1240) security: upgrade logback to address CVE-2017-5929
Matt Darwin created ARROW-1240: -- Summary: security: upgrade logback to address CVE-2017-5929 Key: ARROW-1240 URL: https://issues.apache.org/jira/browse/ARROW-1240 Project: Apache Arrow Issue Type: Bug Components: Java - Memory Affects Versions: 0.5.0 Reporter: Matt Darwin logback versions before 1.2.0 are affected by "a rather severe serialization vulnerability in SocketServer and ServerSocketReceiver". We should upgrade logback from 1.0.13 to the latest version (currently 1.2.3) in order to address this. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929 and https://logback.qos.ch/news.html -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (ARROW-1240) security: upgrade logback to address CVE-2017-5929
[ https://issues.apache.org/jira/browse/ARROW-1240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matt Darwin updated ARROW-1240: --- Component/s: Java - Vectors > security: upgrade logback to address CVE-2017-5929 > -- > > Key: ARROW-1240 > URL: https://issues.apache.org/jira/browse/ARROW-1240 > Project: Apache Arrow > Issue Type: Bug > Components: Java - Memory, Java - Vectors >Affects Versions: 0.4.1 >Reporter: Matt Darwin > Fix For: 0.5.0 > > > logback versions before 1.2.0 are affected by "a rather severe serialization > vulnerability in SocketServer and ServerSocketReceiver". > We should upgrade logback from 1.0.13 to the latest version (currently 1.2.3) > in order to address this. > See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929 > and > https://logback.qos.ch/news.html -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (ARROW-1242) security - upgrade Jackson to mitigate 3 CVE vulnerabilities
Matt Darwin created ARROW-1242: -- Summary: security - upgrade Jackson to mitigate 3 CVE vulnerabilities Key: ARROW-1242 URL: https://issues.apache.org/jira/browse/ARROW-1242 Project: Apache Arrow Issue Type: Bug Components: Java - Memory, Java - Vectors Affects Versions: 0.4.1 Reporter: Matt Darwin Fix For: 0.5.0 please consider upgrading jackson to mitigate its various vulnerabilities in 2.7.1: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jackson see also https://github.com/FasterXML/jackson-databind/issues/1599 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARROW-1240) security: upgrade logback to address CVE-2017-5929
[ https://issues.apache.org/jira/browse/ARROW-1240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16094746#comment-16094746 ] Matt Darwin commented on ARROW-1240: I've fixed this in [PR 871|https://github.com/apache/arrow/pull/871] - please consider merging from that. > security: upgrade logback to address CVE-2017-5929 > -- > > Key: ARROW-1240 > URL: https://issues.apache.org/jira/browse/ARROW-1240 > Project: Apache Arrow > Issue Type: Bug > Components: Java - Memory, Java - Vectors >Affects Versions: 0.4.1 >Reporter: Matt Darwin > Fix For: 0.5.0 > > > logback versions before 1.2.0 are affected by "a rather severe serialization > vulnerability in SocketServer and ServerSocketReceiver". > We should upgrade logback from 1.0.13 to the latest version (currently 1.2.3) > in order to address this. > See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929 > and > https://logback.qos.ch/news.html -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARROW-1242) security - upgrade Jackson to mitigate 3 CVE vulnerabilities
[ https://issues.apache.org/jira/browse/ARROW-1242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16094747#comment-16094747 ] Matt Darwin commented on ARROW-1242: I've fixed this in [PR 872|https://github.com/apache/arrow/pull/872] - please merge that in. > security - upgrade Jackson to mitigate 3 CVE vulnerabilities > > > Key: ARROW-1242 > URL: https://issues.apache.org/jira/browse/ARROW-1242 > Project: Apache Arrow > Issue Type: Bug > Components: Java - Memory, Java - Vectors >Affects Versions: 0.4.1 >Reporter: Matt Darwin > Fix For: 0.5.0 > > > please consider upgrading jackson to mitigate its various vulnerabilities in > 2.7.1: > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jackson > see also > https://github.com/FasterXML/jackson-databind/issues/1599 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (ARROW-1243) security: upgrade all libraries to latest stable versions
Matt Darwin created ARROW-1243: -- Summary: security: upgrade all libraries to latest stable versions Key: ARROW-1243 URL: https://issues.apache.org/jira/browse/ARROW-1243 Project: Apache Arrow Issue Type: Improvement Components: Java - Memory, Java - Vectors Affects Versions: 0.4.1 Reporter: Matt Darwin Fix For: 0.5.0 Some of the java libraries used are very old - e.g. commons-cli dates from 2009. Rather than (or as well as) reacting to security vulnerabilities when they are discovered, we should pro-actively update all our libraries to the latest versions. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARROW-1243) security: upgrade all libraries to latest stable versions
[ https://issues.apache.org/jira/browse/ARROW-1243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16094765#comment-16094765 ] Matt Darwin commented on ARROW-1243: Fixed in [PR 873|https://github.com/apache/arrow/pull/873] - please consider merging. > security: upgrade all libraries to latest stable versions > - > > Key: ARROW-1243 > URL: https://issues.apache.org/jira/browse/ARROW-1243 > Project: Apache Arrow > Issue Type: Improvement > Components: Java - Memory, Java - Vectors >Affects Versions: 0.4.1 >Reporter: Matt Darwin > Fix For: 0.5.0 > > > Some of the java libraries used are very old - e.g. commons-cli dates from > 2009. > Rather than (or as well as) reacting to security vulnerabilities when they > are discovered, we should pro-actively update all our libraries to the latest > versions. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARROW-1242) [Java] security - upgrade Jackson to mitigate 3 CVE vulnerabilities
[ https://issues.apache.org/jira/browse/ARROW-1242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16121257#comment-16121257 ] Matt Darwin commented on ARROW-1242: Sorry, there was a bug in my PR and it's not changed the Jackson version. java/pom.xml defines a {{jackson.version}} variable, but in java/vector/pom.xml it doesn't use that variable. I've changed it in the branch and will submit a new PR. > [Java] security - upgrade Jackson to mitigate 3 CVE vulnerabilities > --- > > Key: ARROW-1242 > URL: https://issues.apache.org/jira/browse/ARROW-1242 > Project: Apache Arrow > Issue Type: Bug > Components: Java - Memory, Java - Vectors >Affects Versions: 0.4.1 >Reporter: Matt Darwin >Assignee: Matt Darwin > Fix For: 0.6.0 > > > please consider upgrading jackson to mitigate its various vulnerabilities in > 2.7.1: > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jackson > see also > https://github.com/FasterXML/jackson-databind/issues/1599 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Reopened] (ARROW-1242) [Java] security - upgrade Jackson to mitigate 3 CVE vulnerabilities
[ https://issues.apache.org/jira/browse/ARROW-1242?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matt Darwin reopened ARROW-1242: Sorry, there was a bug in my PR and it's not changed the Jackson version. java/pom.xml defines a {{jackson.version}} variable, but in java/vector/pom.xml it doesn't use that variable. I've changed it in my branch and have submitted a new PR #957. > [Java] security - upgrade Jackson to mitigate 3 CVE vulnerabilities > --- > > Key: ARROW-1242 > URL: https://issues.apache.org/jira/browse/ARROW-1242 > Project: Apache Arrow > Issue Type: Bug > Components: Java - Memory, Java - Vectors >Affects Versions: 0.4.1 >Reporter: Matt Darwin >Assignee: Matt Darwin > Fix For: 0.6.0 > > > please consider upgrading jackson to mitigate its various vulnerabilities in > 2.7.1: > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jackson > see also > https://github.com/FasterXML/jackson-databind/issues/1599 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Issue Comment Deleted] (ARROW-1242) [Java] security - upgrade Jackson to mitigate 3 CVE vulnerabilities
[ https://issues.apache.org/jira/browse/ARROW-1242?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matt Darwin updated ARROW-1242: --- Comment: was deleted (was: Sorry, there was a bug in my PR and it's not changed the Jackson version. java/pom.xml defines a {{jackson.version}} variable, but in java/vector/pom.xml it doesn't use that variable. I've changed it in the branch and will submit a new PR.) > [Java] security - upgrade Jackson to mitigate 3 CVE vulnerabilities > --- > > Key: ARROW-1242 > URL: https://issues.apache.org/jira/browse/ARROW-1242 > Project: Apache Arrow > Issue Type: Bug > Components: Java - Memory, Java - Vectors >Affects Versions: 0.4.1 >Reporter: Matt Darwin >Assignee: Matt Darwin > Fix For: 0.6.0 > > > please consider upgrading jackson to mitigate its various vulnerabilities in > 2.7.1: > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jackson > see also > https://github.com/FasterXML/jackson-databind/issues/1599 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Comment Edited] (ARROW-1242) [Java] security - upgrade Jackson to mitigate 3 CVE vulnerabilities
[ https://issues.apache.org/jira/browse/ARROW-1242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16121263#comment-16121263 ] Matt Darwin edited comment on ARROW-1242 at 8/10/17 8:48 AM: - Sorry [~wesmckinn], there was a bug in my PR and it's not changed the Jackson version. java/pom.xml defines a {{jackson.version}} variable, but in java/vector/pom.xml it doesn't use that variable. I've changed it in my branch and have submitted a new PR #957. was (Author: mdarwin): Sorry, there was a bug in my PR and it's not changed the Jackson version. java/pom.xml defines a {{jackson.version}} variable, but in java/vector/pom.xml it doesn't use that variable. I've changed it in my branch and have submitted a new PR #957. > [Java] security - upgrade Jackson to mitigate 3 CVE vulnerabilities > --- > > Key: ARROW-1242 > URL: https://issues.apache.org/jira/browse/ARROW-1242 > Project: Apache Arrow > Issue Type: Bug > Components: Java - Memory, Java - Vectors >Affects Versions: 0.4.1 >Reporter: Matt Darwin >Assignee: Matt Darwin > Fix For: 0.6.0 > > > please consider upgrading jackson to mitigate its various vulnerabilities in > 2.7.1: > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jackson > see also > https://github.com/FasterXML/jackson-databind/issues/1599 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Comment Edited] (ARROW-1242) [Java] security - upgrade Jackson to mitigate 3 CVE vulnerabilities
[ https://issues.apache.org/jira/browse/ARROW-1242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16121263#comment-16121263 ] Matt Darwin edited comment on ARROW-1242 at 8/10/17 8:49 AM: - Sorry [~wesmckinn], there was a bug in my PR and it's not changed the Jackson version. java/pom.xml defines a {{jackson.version}} variable, but in java/vector/pom.xml it doesn't use that variable. I've changed it in my branch and have submitted a new PR [PR 957|https://github.com/apache/arrow/pull/957] . was (Author: mdarwin): Sorry [~wesmckinn], there was a bug in my PR and it's not changed the Jackson version. java/pom.xml defines a {{jackson.version}} variable, but in java/vector/pom.xml it doesn't use that variable. I've changed it in my branch and have submitted a new PR #957. > [Java] security - upgrade Jackson to mitigate 3 CVE vulnerabilities > --- > > Key: ARROW-1242 > URL: https://issues.apache.org/jira/browse/ARROW-1242 > Project: Apache Arrow > Issue Type: Bug > Components: Java - Memory, Java - Vectors >Affects Versions: 0.4.1 >Reporter: Matt Darwin >Assignee: Matt Darwin > Fix For: 0.6.0 > > > please consider upgrading jackson to mitigate its various vulnerabilities in > 2.7.1: > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jackson > see also > https://github.com/FasterXML/jackson-databind/issues/1599 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Comment Edited] (ARROW-1242) [Java] security - upgrade Jackson to mitigate 3 CVE vulnerabilities
[ https://issues.apache.org/jira/browse/ARROW-1242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16121263#comment-16121263 ] Matt Darwin edited comment on ARROW-1242 at 8/10/17 8:50 AM: - Sorry [~wesmckinn], there was a bug in my PR and it's not changed the Jackson version. java/pom.xml defines a {{jackson.version}} variable, but in java/vector/pom.xml it doesn't use that variable. I've changed it in my branch and have submitted a new PR [#957|https://github.com/apache/arrow/pull/957] . was (Author: mdarwin): Sorry [~wesmckinn], there was a bug in my PR and it's not changed the Jackson version. java/pom.xml defines a {{jackson.version}} variable, but in java/vector/pom.xml it doesn't use that variable. I've changed it in my branch and have submitted a new PR [PR 957|https://github.com/apache/arrow/pull/957] . > [Java] security - upgrade Jackson to mitigate 3 CVE vulnerabilities > --- > > Key: ARROW-1242 > URL: https://issues.apache.org/jira/browse/ARROW-1242 > Project: Apache Arrow > Issue Type: Bug > Components: Java - Memory, Java - Vectors >Affects Versions: 0.4.1 >Reporter: Matt Darwin >Assignee: Matt Darwin > Fix For: 0.6.0 > > > please consider upgrading jackson to mitigate its various vulnerabilities in > 2.7.1: > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jackson > see also > https://github.com/FasterXML/jackson-databind/issues/1599 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Reopened] (ARROW-1240) security: upgrade logback to address CVE-2017-5929
[ https://issues.apache.org/jira/browse/ARROW-1240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matt Darwin reopened ARROW-1240: Sorry, fix was not correctly implemented, since logback is specified in multiple poms and only fixed in one. > security: upgrade logback to address CVE-2017-5929 > -- > > Key: ARROW-1240 > URL: https://issues.apache.org/jira/browse/ARROW-1240 > Project: Apache Arrow > Issue Type: Bug > Components: Java - Memory, Java - Vectors >Affects Versions: 0.4.1 >Reporter: Matt Darwin >Assignee: Matt Darwin > Fix For: 0.6.0 > > > logback versions before 1.2.0 are affected by "a rather severe serialization > vulnerability in SocketServer and ServerSocketReceiver". > We should upgrade logback from 1.0.13 to the latest version (currently 1.2.3) > in order to address this. > See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929 > and > https://logback.qos.ch/news.html -- This message was sent by Atlassian JIRA (v6.4.14#64029)