date:20170705

[jira] [Commented] (FLUME-3115) Upgrade netty library dependency

2017-07-05 Thread Mike Percy (JIRA)


[ 
https://issues.apache.org/jira/browse/FLUME-3115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16075293#comment-16075293
 ] 

Mike Percy commented on FLUME-3115:
---

The CVE says versions of Netty prior to 3.9.2 are vulnerable to a DoS attack 
when using SslHandler. Curator is pulling in the old netty version. The version 
that Flume depends on (looking at trunk) is 3.9.4 but it's possible that since 
both are on the classpath either one may actually be being used.

Really, Curator and Flume should both probably be shading Netty.

Flume may be vulnerable to this DoS today because it uses SslHandler in a 
couple of places:

{code}
$ ag -l SslHandler
flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java
flume-ng-core/src/test/java/org/apache/flume/source/TestAvroSource.java
flume-ng-core/src/test/java/org/apache/flume/sink/TestAvroSink.java
flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java
{code}

> Upgrade netty library dependency
> 
>
> Key: FLUME-3115
> URL: https://issues.apache.org/jira/browse/FLUME-3115
> Project: Flume
>  Issue Type: Bug
>Affects Versions: 1.7.0
>Reporter: Attila Simon
>Priority: Critical
>  Labels: dependency
> Fix For: 1.8.0
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |io.netty|netty|3.2.2.Final, 3.9.4.Final|4.1.12.Final|
> Note: This artifact was moved to:
> - New Group   io.netty
> - New Artifactnetty-all
> Security vulnerability: http://www.cvedetails.com/cve/CVE-2014-3488/
> Please do:
> - double check the newest version. 
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in 
> which case please add this label `breaking_change` and fix version should be 
> the next major)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: Update 3rd party dependencies

2017-07-05 Thread Mike Percy

Hi Attila,
Thanks for sending this. I have a few thoughts / questions on this:

1) You didn't include the analysis of A,G,S, etc. for the listed
dependencies in your email.
2) If there are security vulnerabilities reported that could affect Flume
then we should upgrade those dependencies where possible. However, in my
experience newer does not always mean better (a newer library may introduce
new bugs in exchange for new features we do not use) so I am not sure I
agree with the basic premise that we should avoid being on older versions
of libraries.
3) From a quick look at mvn dependency:tree the majority of those libs are
pulled in transitively by other projects. How do you propose dealing with
that?

I ran a quick script based on mvn dependency:tree and your list above and
marked the libraries you mentioned with an arrow (<---) to illustrate where
they come from (see below). Hope this is useful.

Thanks,
Mike

[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @
flume-checkstyle ---
[INFO] org.apache.flume:flume-checkstyle:jar:1.8.0-SNAPSHOT
[INFO]

[INFO]

[INFO] Building Apache Flume 1.8.0-SNAPSHOT
[INFO]

[INFO]
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ flume-parent
---
[INFO] org.apache.flume:flume-parent:pom:1.8.0-SNAPSHOT
[INFO]

[INFO]

[INFO] Building Flume NG SDK 1.8.0-SNAPSHOT
[INFO]

[INFO]
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ flume-ng-sdk
---
[INFO] org.apache.flume:flume-ng-sdk:jar:1.8.0-SNAPSHOT
[INFO] +- junit:junit:jar:4.10:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.1:test
[INFO] +- org.slf4j:slf4j-api:jar:1.6.1:compile
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.6.1:compile
[INFO] |  \- log4j:log4j:jar:1.2.17:compile
[INFO] +- org.apache.avro:avro:jar:1.7.4:compile
[INFO] |  +- org.codehaus.jackson:jackson-core-asl:jar:1.9.3:compile   <---
[INFO] |  +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.3:compile
[INFO] |  +- com.thoughtworks.paranamer:paranamer:jar:2.3:compile
[INFO] |  +- org.xerial.snappy:snappy-java:jar:1.1.0:compile
[INFO] |  \- org.apache.commons:commons-compress:jar:1.4.1:compile
[INFO] | \- org.tukaani:xz:jar:1.0:compile
[INFO] +- org.apache.avro:avro-ipc:jar:1.7.4:compile
[INFO] |  +- org.mortbay.jetty:jetty:jar:6.1.26:compile   <---
[INFO] |  +- org.mortbay.jetty:jetty-util:jar:6.1.26:compile   <---
[INFO] |  \- org.apache.velocity:velocity:jar:1.7:compile
[INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] +- io.netty:netty:jar:3.9.4.Final:compile   <---
[INFO] \- org.apache.thrift:libthrift:jar:0.9.0:compile
[INFO]+- commons-lang:commons-lang:jar:2.5:compile
[INFO]+- org.apache.httpcomponents:httpclient:jar:4.2.1:compile   <---
[INFO]|  +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO]|  \- commons-codec:commons-codec:jar:1.8:compile
[INFO]\- org.apache.httpcomponents:httpcore:jar:4.1.3:compile
[INFO]

[INFO]

[INFO] Building Flume NG Configuration 1.8.0-SNAPSHOT
[INFO]

[INFO]
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @
flume-ng-configuration ---
[INFO] org.apache.flume:flume-ng-configuration:jar:1.8.0-SNAPSHOT
[INFO] +- org.slf4j:slf4j-api:jar:1.6.1:compile
[INFO] +- junit:junit:jar:4.10:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.1:test
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.6.1:compile
[INFO] |  \- log4j:log4j:jar:1.2.17:compile
[INFO] +- com.google.guava:guava:jar:11.0.2:compile
[INFO] |  \- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] \- org.apache.flume:flume-ng-sdk:jar:1.8.0-SNAPSHOT:compile
[INFO]+- org.apache.avro:avro:jar:1.7.4:compile
[INFO]|  +- org.codehaus.jackson:jackson-core-asl:jar:1.9.3:compile
<---
[INFO]|  +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.3:compile
[INFO]|  +- com.thoughtworks.paranamer:paranamer:jar:2.3:compile
[INFO]|  +- org.xerial.snappy:snappy-java:jar:1.1.0:compile
[INFO]|  \- org.apache.commons:commons-compress:jar:1.4.1:compile
[INFO]| \- org.tukaani:xz:jar:1.0:compile
[INFO]+- org.apache.avro:avro-ipc:jar:1.7.4:compile
[INFO]|  +- org.mortbay.jetty:jetty:jar:6.1.26:compile   <---
[INFO]|  +- org.mortbay.jetty:jetty-util:jar:6.1.26:compile   <---
[INFO]|  \- org.apache.velocity:velocity:jar:1.7:compile
[INFO]| \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO]+- io.netty:netty:jar:3.9.4.Final:compile   <---
[INFO]\- org.apache.thrift:libthrift:jar:0.9.0:compile
[INFO]   +- commons-lang:commons-lang:jar:2.5:compile
[INFO]   +-

[jira] [Commented] (FLUME-2957) Remove Guava from our public API

2017-07-05 Thread Mike Percy (JIRA)


[ 
https://issues.apache.org/jira/browse/FLUME-2957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16075107#comment-16075107
 ] 

Mike Percy commented on FLUME-2957:
---

I agree that we should simply expose a Map instead of the Guava ImmutableMap 
implementation as part of this public API.

> Remove Guava from our public API
> 
>
> Key: FLUME-2957
> URL: https://issues.apache.org/jira/browse/FLUME-2957
> Project: Flume
>  Issue Type: Task
>Affects Versions: 1.8.0
>Reporter: Lior Zeno
> Fix For: 2.0.0
>
>
> Context.getParameters (flume-ng-configuration module) returns 
> com.google.common.collect.ImmutableMap (Guava). We should clean our API and 
> return either a native java interface or Flume's.
> In addition to the current state being a bad practice, this also means that 
> we are unable to shade Guava in Flume.
> Note: Since this breaks our public API, I'll reschedule this issue to 2.0 
> once we have this version managed in jira.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (FLUME-3115) Upgrade netty library dependency

2017-07-05 Thread Attila Simon (JIRA)

Attila Simon created FLUME-3115:
---

 Summary: Upgrade netty library dependency
 Key: FLUME-3115
 URL: https://issues.apache.org/jira/browse/FLUME-3115
 Project: Flume
  Issue Type: Bug
Affects Versions: 1.7.0
Reporter: Attila Simon
Priority: Critical
 Fix For: 1.8.0


||Group||Artifact||Version used||Upgrade target||
|io.netty|netty|3.2.2.Final, 3.9.4.Final|4.1.12.Final|

Note: This artifact was moved to:
- New Group io.netty
- New Artifact  netty-all

Security vulnerability: http://www.cvedetails.com/cve/CVE-2014-3488/

Please do:
- double check the newest version. 
- consider to remove a dependency if better alternative is available.
- check whether the lib change would introduce a backward incompatibility (in 
which case please add this label `breaking_change` and fix version should be 
the next major)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (FLUME-1732) Build is failing due to netty problems

2017-07-05 Thread Attila Simon (JIRA)


[ 
https://issues.apache.org/jira/browse/FLUME-1732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16075044#comment-16075044
 ] 

Attila Simon commented on FLUME-1732:
-

Interestingly it seems like it has been committed:
{noformat}
trunk(964bcf56)$ git log --oneline --grep FLUME-1732
750809c7 FLUME-1732: SpoolableDirectorySource should have configurable support 
for deleting files it has already completed instead of renaming
{noformat}
Unfortunately this is just a mistake in commit message. That change belongs to 
FLUME-1731 instead.

I followed [~mpercy]'s steps from above but no failure for me. I conclude 
everything went back to normal since this ticket was opened. So marking this 
ticket as resolved. 
{noformat}
trunk(964bcf56)$ mvn -version
Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5; 
2015-11-10T17:41:47+01:00)
Maven home: /usr/local/Cellar/maven/3.3.9/libexec
Java version: 1.8.0_101, vendor: Oracle Corporation
Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "10.12.5", arch: "x86_64", family: "mac"
{noformat} 

> Build is failing due to netty problems
> --
>
> Key: FLUME-1732
> URL: https://issues.apache.org/jira/browse/FLUME-1732
> Project: Flume
>  Issue Type: Bug
>Affects Versions: 1.4.0
>Reporter: Brock Noland
>Assignee: Mike Percy
> Attachments: FLUME-1732-3.patch, FLUME-1732.patch
>
>
> FLUME-1723 changed how we bring in netty and that seems to have broken the 
> build https://builds.apache.org/job/flume-trunk/330/#showFailuresLink



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: [jira] [Updated] (FLUME-3113) Upgrade commons-beanutils library dependency

2017-07-05 Thread Edwards, Jesse

unsubscribe


From: Attila Simon (JIRA) 
Sent: Wednesday, July 5, 2017 8:39:00 AM
To: dev@flume.apache.org
Subject: [jira] [Updated] (FLUME-3113) Upgrade commons-beanutils 
library dependency


 [ 
https://issues.apache.org/jira/browse/FLUME-3113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Attila Simon updated FLUME-3113:

Description:
||Group||Artifact||Version used||Upgrade target||
|commons-beanutils|commons-beanutils|1.7.0|1.9.3|
|commons-beanutils|commons-beanutils-core|1.8.0|1.8.3|

Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/

Please do:
- double check the newest version.
- consider to remove a dependency if better alternative is available.
- check whether the lib change would introduce a backward incompatibility (in 
which case please add this label `breaking_change` and fix version should be 
the next major)

  was:
||Group||Artifact||Version used||Upgrade target||
|commons-beanutils|commons-beanutils|1.7.0|1.9.3|

Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/

Please do:
- double check the newest version.
- consider to remove a dependency if better alternative is available.
- check whether the lib change would introduce a backward incompatibility (in 
which case please add this label `breaking_change` and fix version should be 
the next major)


> Upgrade commons-beanutils library dependency
> 
>
> Key: FLUME-3113
> URL: https://issues.apache.org/jira/browse/FLUME-3113
> Project: Flume
>  Issue Type: Bug
>Affects Versions: 1.7.0
>Reporter: Attila Simon
>Priority: Critical
>  Labels: dependency
> Fix For: 1.8.0
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |commons-beanutils|commons-beanutils|1.7.0|1.9.3|
> |commons-beanutils|commons-beanutils-core|1.8.0|1.8.3|
> Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/
> Please do:
> - double check the newest version.
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in 
> which case please add this label `breaking_change` and fix version should be 
> the next major)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (FLUME-2501) Updating HttpClient lib version to ensure compat with Solr

2017-07-05 Thread Attila Simon (JIRA)


 [ 
https://issues.apache.org/jira/browse/FLUME-2501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Attila Simon updated FLUME-2501:

Labels: dependency  (was: )

> Updating HttpClient lib version to ensure compat with Solr
> --
>
> Key: FLUME-2501
> URL: https://issues.apache.org/jira/browse/FLUME-2501
> Project: Flume
>  Issue Type: Bug
>  Components: Sinks+Sources
>Affects Versions: 1.5.0.1
>Reporter: Roshan Naik
>Assignee: Roshan Naik
>  Labels: dependency
> Attachments: FLUME-2501.patch, FLUME-2501.v2.patch
>
>
> Mismatch in httpclient and http core libs pulled by flume v/s the ones that 
> come with Solr causes errors at runtime
> {code}
> 2014-10-13 19:52:32,042 (lifecycleSupervisor-1-1) [DEBUG - 
> org.apache.solr.client.solrj.impl.HttpClientUtil.createClient(HttpClientUtil.java:106)]
>  Creating new http client, 
> config:maxConnections=128=32=false
> 2014-10-13 19:52:32,225 (lifecycleSupervisor-1-1) [ERROR - 
> org.apache.flume.lifecycle.LifecycleSupervisor$MonitorRunnable.run(LifecycleSupervisor.java:253)]
>  Unable to start SinkRunner: { 
> policy:org.apache.flume.sink.DefaultSinkProcessor@4752b854 counterGroup:{ 
> name:null counters:{} } } - Exception follows.
> java.lang.NoSuchFieldError: DEF_CONTENT_CHARSET
>   at 
> org.apache.http.impl.client.DefaultHttpClient.setDefaultHttpParams(DefaultHttpClient.java:175)
>   at 
> org.apache.http.impl.client.DefaultHttpClient.createHttpParams(DefaultHttpClient.java:158)
>   at 
> org.apache.http.impl.client.AbstractHttpClient.getParams(AbstractHttpClient.java:448)
>   at 
> org.apache.solr.client.solrj.impl.HttpClientUtil.setFollowRedirects(HttpClientUtil.java:251)
>   at 
> org.apache.solr.client.solrj.impl.HttpClientConfigurer.configure(HttpClientConfigurer.java:58)
>   at 
> org.apache.solr.client.solrj.impl.HttpClientUtil.configureClient(HttpClientUtil.java:133)
>   at 
> org.apache.solr.client.solrj.impl.HttpClientUtil.createClient(HttpClientUtil.java:109)
>   at 
> org.apache.solr.client.solrj.impl.HttpSolrServer.(HttpSolrServer.java:161)
>   at 
> org.apache.solr.client.solrj.impl.HttpSolrServer.(HttpSolrServer.java:138)
>   at 
> org.apache.solr.client.solrj.impl.ConcurrentUpdateSolrServer.(ConcurrentUpdateSolrServer.java:122)
>   at 
> org.apache.solr.client.solrj.impl.ConcurrentUpdateSolrServer.(ConcurrentUpdateSolrServer.java:114)
>   at 
> org.apache.solr.client.solrj.impl.ConcurrentUpdateSolrServer.(ConcurrentUpdateSolrServer.java:104)
>   at 
> org.kitesdk.morphline.solr.SafeConcurrentUpdateSolrServer.(SafeConcurrentUpdateSolrServer.java:39)
>   at 
> org.kitesdk.morphline.solr.SafeConcurrentUpdateSolrServer.(SafeConcurrentUpdateSolrServer.java:35)
>   at 
> org.kitesdk.morphline.solr.SolrLocator.getLoader(SolrLocator.java:116)
>   at 
> org.kitesdk.morphline.solr.LoadSolrBuilder$LoadSolr.(LoadSolrBuilder.java:70)
>   at 
> org.kitesdk.morphline.solr.LoadSolrBuilder.build(LoadSolrBuilder.java:52)
>   at 
> org.kitesdk.morphline.base.AbstractCommand.buildCommand(AbstractCommand.java:303)
>   at 
> org.kitesdk.morphline.base.AbstractCommand.buildCommandChain(AbstractCommand.java:250)
>   at org.kitesdk.morphline.stdlib.Pipe.(Pipe.java:46)
>   at org.kitesdk.morphline.stdlib.PipeBuilder.build(PipeBuilder.java:40)
>   at org.kitesdk.morphline.base.Compiler.compile(Compiler.java:126)
>   at org.kitesdk.morphline.base.Compiler.compile(Compiler.java:55)
>   at 
> org.apache.flume.sink.solr.morphline.MorphlineHandlerImpl.configure(MorphlineHandlerImpl.java:101)
>   at 
> org.apache.flume.sink.solr.morphline.MorphlineSink.start(MorphlineSink.java:97)
>   at 
> org.apache.flume.sink.DefaultSinkProcessor.start(DefaultSinkProcessor.java:46)
>   at org.apache.flume.SinkRunner.start(SinkRunner.java:79)
>   at 
> org.apache.flume.lifecycle.LifecycleSupervisor$MonitorRunnable.run(LifecycleSupervisor.java:251)
>   at 
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>   at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
>   at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
>   at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>   at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>   at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>   at java.lang.Thread.run(Thread.java:745)
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (FLUME-3114) Upgrade commons-httpclient library dependency

2017-07-05 Thread Attila Simon (JIRA)


[ 
https://issues.apache.org/jira/browse/FLUME-3114?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16074995#comment-16074995
 ] 

Attila Simon commented on FLUME-3114:
-

We have a very similar jira where patch is ready to upgrade to an older than 
the currently proposed version. The proposed version there doesn't seem to have 
any CVE yet. 

> Upgrade commons-httpclient library dependency
> -
>
> Key: FLUME-3114
> URL: https://issues.apache.org/jira/browse/FLUME-3114
> Project: Flume
>  Issue Type: Bug
>Affects Versions: 1.7.0
>Reporter: Attila Simon
>Priority: Critical
>  Labels: dependency
> Fix For: 1.8.0
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |commons-httpclient|commons-httpclient|3.1,3.0.1|4.5.2|
> Note: This artifact was moved to:
> * New Group   org.apache.httpcomponents
> * New Artifacthttpclient
> Security vulnerability: https://www.cvedetails.com/cve/CVE-2012-5783/
> Please do:
> - double check the newest version. 
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in 
> which case please add this label `breaking_change` and fix version should be 
> the next major)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (FLUME-3114) Upgrade commons-httpclient library dependency

2017-07-05 Thread Attila Simon (JIRA)

Attila Simon created FLUME-3114:
---

 Summary: Upgrade commons-httpclient library dependency
 Key: FLUME-3114
 URL: https://issues.apache.org/jira/browse/FLUME-3114
 Project: Flume
  Issue Type: Bug
Affects Versions: 1.7.0
Reporter: Attila Simon
Priority: Critical
 Fix For: 1.8.0


||Group||Artifact||Version used||Upgrade target||
|commons-httpclient|commons-httpclient|3.1,3.0.1|4.5.2|

Note: This artifact was moved to:
* New Group org.apache.httpcomponents
* New Artifact  httpclient

Security vulnerability: https://www.cvedetails.com/cve/CVE-2012-5783/

Please do:
- double check the newest version. 
- consider to remove a dependency if better alternative is available.
- check whether the lib change would introduce a backward incompatibility (in 
which case please add this label `breaking_change` and fix version should be 
the next major)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (FLUME-3113) Upgrade commons-beanutils library dependency

2017-07-05 Thread Attila Simon (JIRA)


 [ 
https://issues.apache.org/jira/browse/FLUME-3113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Attila Simon updated FLUME-3113:

Description: 
||Group||Artifact||Version used||Upgrade target||
|commons-beanutils|commons-beanutils|1.7.0|1.9.3|
|commons-beanutils|commons-beanutils-core|1.8.0|1.8.3|

Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/

Please do:
- double check the newest version. 
- consider to remove a dependency if better alternative is available.
- check whether the lib change would introduce a backward incompatibility (in 
which case please add this label `breaking_change` and fix version should be 
the next major)

  was:
||Group||Artifact||Version used||Upgrade target||
|commons-beanutils|commons-beanutils|1.7.0|1.9.3|

Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/

Please do:
- double check the newest version. 
- consider to remove a dependency if better alternative is available.
- check whether the lib change would introduce a backward incompatibility (in 
which case please add this label `breaking_change` and fix version should be 
the next major)


> Upgrade commons-beanutils library dependency
> 
>
> Key: FLUME-3113
> URL: https://issues.apache.org/jira/browse/FLUME-3113
> Project: Flume
>  Issue Type: Bug
>Affects Versions: 1.7.0
>Reporter: Attila Simon
>Priority: Critical
>  Labels: dependency
> Fix For: 1.8.0
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |commons-beanutils|commons-beanutils|1.7.0|1.9.3|
> |commons-beanutils|commons-beanutils-core|1.8.0|1.8.3|
> Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/
> Please do:
> - double check the newest version. 
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in 
> which case please add this label `breaking_change` and fix version should be 
> the next major)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (FLUME-3112) Upgrade jackson-core library dependency

2017-07-05 Thread Attila Simon (JIRA)


[ 
https://issues.apache.org/jira/browse/FLUME-3112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16074953#comment-16074953
 ] 

Attila Simon commented on FLUME-3112:
-

Excerpted transitive dependency tree from `mvn dependency:tree` 

{noformat}
org.apache.flume.flume-ng-sinks:flume-dataset-sink:jar:1.8.0-SNAPSHOT
org.kitesdk:kite-data-core:jar:1.0.0:compile
com.fasterxml.jackson.core:jackson-databind:jar:2.3.1:compile
com.fasterxml.jackson.core:jackson-annotations:jar:2.3.0:compile

com.fasterxml.jackson.core:jackson-core:jar:2.3.1:compile
{noformat}

{noformat}
org.apache.flume.flume-ng-sinks:flume-ng-morphline-solr-sink:jar:1.8.0-SNAPSHOT
org.kitesdk:kite-morphlines-all:pom:1.0.0:compile
org.kitesdk:kite-morphlines-json:jar:1.0.0:compile
com.fasterxml.jackson.core:jackson-databind:jar:2.3.1:compile
com.fasterxml.jackson.core:jackson-annotations:jar:2.3.0:compile
com.fasterxml.jackson.core:jackson-core:jar:2.3.1:compile
{noformat}

> Upgrade jackson-core library dependency
> ---
>
> Key: FLUME-3112
> URL: https://issues.apache.org/jira/browse/FLUME-3112
> Project: Flume
>  Issue Type: Bug
>Affects Versions: 1.7.0
>Reporter: Attila Simon
>Priority: Critical
>  Labels: dependency
> Fix For: 1.8.0
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |com.fasterxml.jackson.core|jackson-core|2.3.1|2.8.9|
> Security vulnerability: http://www.cvedetails.com/cve/CVE-2016-7051/
> Please do:
> - double check the newest version. 
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in 
> which case please add this label `breaking_change` and fix version should be 
> the next major)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (FLUME-3113) Upgrade commons-beanutils library dependency

2017-07-05 Thread Attila Simon (JIRA)

Attila Simon created FLUME-3113:
---

 Summary: Upgrade commons-beanutils library dependency
 Key: FLUME-3113
 URL: https://issues.apache.org/jira/browse/FLUME-3113
 Project: Flume
  Issue Type: Bug
Affects Versions: 1.7.0
Reporter: Attila Simon
Priority: Critical
 Fix For: 1.8.0


||Group||Artifact||Version used||Upgrade target||
|commons-beanutils|commons-beanutils|1.7.0|1.9.3|

Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/

Please do:
- double check the newest version. 
- consider to remove a dependency if better alternative is available.
- check whether the lib change would introduce a backward incompatibility (in 
which case please add this label `breaking_change` and fix version should be 
the next major)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (FLUME-3112) Upgrade jackson-core library dependency

2017-07-05 Thread Attila Simon (JIRA)

Attila Simon created FLUME-3112:
---

 Summary: Upgrade jackson-core library dependency
 Key: FLUME-3112
 URL: https://issues.apache.org/jira/browse/FLUME-3112
 Project: Flume
  Issue Type: Bug
Affects Versions: 1.7.0
Reporter: Attila Simon
Priority: Critical
 Fix For: 1.8.0


||Group||Artifact||Version used||Upgrade target||
|com.fasterxml.jackson.core|jackson-core|2.3.1|2.8.9|

Security vulnerability: http://www.cvedetails.com/cve/CVE-2016-7051/

Please do:
- double check the newest version. 
- consider to remove a dependency if better alternative is available.
- check whether the lib change would introduce a backward incompatibility (in 
which case please add this label `breaking_change` and fix version should be 
the next major)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (FLUME-3115) Upgrade netty library dependency

Re: Update 3rd party dependencies

[jira] [Commented] (FLUME-2957) Remove Guava from our public API

[jira] [Created] (FLUME-3115) Upgrade netty library dependency

[jira] [Commented] (FLUME-1732) Build is failing due to netty problems

Re: [jira] [Updated] (FLUME-3113) Upgrade commons-beanutils library dependency

[jira] [Updated] (FLUME-2501) Updating HttpClient lib version to ensure compat with Solr

[jira] [Commented] (FLUME-3114) Upgrade commons-httpclient library dependency

[jira] [Created] (FLUME-3114) Upgrade commons-httpclient library dependency

[jira] [Updated] (FLUME-3113) Upgrade commons-beanutils library dependency

[jira] [Commented] (FLUME-3112) Upgrade jackson-core library dependency

[jira] [Created] (FLUME-3113) Upgrade commons-beanutils library dependency

[jira] [Created] (FLUME-3112) Upgrade jackson-core library dependency

13 matches

Site Navigation

Mail list logo

Footer information