[jira] [Comment Edited] (FLUME-3131) Upgrade spring framework library dependencies
[
https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16095870#comment-16095870
]
Attila Simon edited comment on FLUME-3131 at 7/21/17 6:56 AM:
--
Hi [~fszabo],
In general I'm fine with any approach which getting us closer to the state that
flume is not vulnerable based on our understanding.
Indeed it looks like test only. But having a closer look it seems like that
activemq (parent dependency of spring and also brings in geronimo) also falls
into the same category. I would also consider update the version of the
activemq in case it still passes testing and doesn't bring in undesired
dependencies transitively. (This in turn might help resolving this ticket by
either removing the spring dependency completely or pulling in a "better" one)
{noformat}
⏚ [~/ws/apache/flume] trunk ± ag activemq *
flume-ng-doc/sphinx/FlumeUserGuide.rst
932:application it should work with any JMS provider but has only been tested
with ActiveMQ.
945:**initialContextFactory** -- Inital Context Factory, e.g:
org.apache.activemq.jndi.ActiveMQInitialContextFactory
994: a1.sources.r1.initialContextFactory =
org.apache.activemq.jndi.ActiveMQInitialContextFactory
flume-ng-sources/flume-jms-source/pom.xml
74: org.apache.activemq
75: activemq-core
flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestIntegrationActiveMQ.java
37:import org.apache.activemq.ActiveMQConnectionFactory;
38:import org.apache.activemq.broker.BrokerPlugin;
39:import org.apache.activemq.broker.BrokerService;
40:import org.apache.activemq.security.AuthenticationUser;
41:import org.apache.activemq.security.SimpleAuthenticationPlugin;
57:public class TestIntegrationActiveMQ {
60: "org.apache.activemq.jndi.ActiveMQInitialContextFactory";
65: // specific for dynamic queues on ActiveMq
133:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
154:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
pom.xml
1081:org.apache.activemq
1082:activemq-core
{noformat}
was (Author: sati):
Hi [~fszabo],
In general I'm fine with any approach which getting us closer to the state that
flume is not vulnerable based on our understanding.
Indeed it looks like test only. But having a closer look it seems like that
activemq (parent dependency of geronimo) also falls into the same category. I
would also consider update the version of the activemq in case it still passes
testing and doesn't bring in undesired dependencies transitively. (This in turn
might help resolving this ticket by either removing the spring dependency
completely or pulling in a "better" one)
{noformat}
⏚ [~/ws/apache/flume] trunk ± ag activemq *
flume-ng-doc/sphinx/FlumeUserGuide.rst
932:application it should work with any JMS provider but has only been tested
with ActiveMQ.
945:**initialContextFactory** -- Inital Context Factory, e.g:
org.apache.activemq.jndi.ActiveMQInitialContextFactory
994: a1.sources.r1.initialContextFactory =
org.apache.activemq.jndi.ActiveMQInitialContextFactory
flume-ng-sources/flume-jms-source/pom.xml
74: org.apache.activemq
75: activemq-core
flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestIntegrationActiveMQ.java
37:import org.apache.activemq.ActiveMQConnectionFactory;
38:import org.apache.activemq.broker.BrokerPlugin;
39:import org.apache.activemq.broker.BrokerService;
40:import org.apache.activemq.security.AuthenticationUser;
41:import org.apache.activemq.security.SimpleAuthenticationPlugin;
57:public class TestIntegrationActiveMQ {
60: "org.apache.activemq.jndi.ActiveMQInitialContextFactory";
65: // specific for dynamic queues on ActiveMq
133:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
154:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
pom.xml
1081:org.apache.activemq
1082:activemq-core
{noformat}
> Upgrade spring framework library dependencies
> -
>
> Key: FLUME-3131
> URL: https://issues.apache.org/jira/browse/FLUME-3131
> Project: Flume
> Issue Type: Bug
>Affects Versions: 1.7.0
>Reporter: Attila Simon
>Assignee: Ferenc Szabo
>Priority: Critical
> Labels: dependency
> Fix For: 1.8.0
>
> Attachments: FLUME-3131.patch
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,|
> Security vulnerability:
> https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html
>
[jira] [Comment Edited] (FLUME-3131) Upgrade spring framework library dependencies
[
https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16093618#comment-16093618
]
Ferenc Szabo edited comment on FLUME-3131 at 7/20/17 11:23 PM:
---
[~sati]
In this case I would recommend to change the activemq dependency to have a test
scope because it is only used in one test, than the vulnerability is not going
to be present in production.
For the `javax.jms.*` packages use the following dependency:
{code}
org.apache.geronimo.specs
geronimo-jms_1.1_spec
1.1.1
{code}
was (Author: fszabo):
[~sati]
In this case I would recommend to change the activemq dependency to have a test
scope because it is only used in one test, than the vulnerability is not going
to be present in production.
For the `javax.jms.*` packages use the following dependency:
{code}
javax.jms
jms
{code}
> Upgrade spring framework library dependencies
> -
>
> Key: FLUME-3131
> URL: https://issues.apache.org/jira/browse/FLUME-3131
> Project: Flume
> Issue Type: Bug
>Affects Versions: 1.7.0
>Reporter: Attila Simon
>Assignee: Ferenc Szabo
>Priority: Critical
> Labels: dependency
> Fix For: 1.8.0
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,|
> Security vulnerability:
> https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html
> Maven repositories:
> - https://mvnrepository.com/artifact/org.springframework/spring-aop
> - https://mvnrepository.com/artifact/org.springframework/spring-context
> - https://mvnrepository.com/artifact/org.springframework/spring-core
> Please do:
> - CVE might be a false alarm or mistake. Please double check.
> - double check the newest version.
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in
> which case please add this label `breaking_change` and fix version should be
> the next major)
> Excerpt from mvn dependency:tree
> {noformat}
> org.apache.flume.flume-ng-sources:flume-jms-source:jar:1.8.0-SNAPSHOT
> \- org.apache.activemq:activemq-core:jar:5.7.0:provided
>+- org.springframework:spring-context:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-aop:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-beans:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-core:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-expression:jar:3.0.7.RELEASE:provided
>| \- org.springframework:spring-asm:jar:3.0.7.RELEASE:provided
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Comment Edited] (FLUME-3131) Upgrade spring framework library dependencies
[
https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16093618#comment-16093618
]
Ferenc Szabo edited comment on FLUME-3131 at 7/20/17 10:56 PM:
---
[~sati]
In this case I would recommend to change the activemq dependency to have a test
scope because it is only used in one test, than the vulnerability is not going
to be present in production.
For the `javax.jms.*` packages use the following dependency:
{code}
javax.jms
jms
{code}
was (Author: fszabo):
[~sati]
In this case I would recommend to change the activemq dependency to have a test
scope because it is only used in one test, than the vulnerability is not going
to be present in production.
For the `javax.jms.*` packages use the following dependency:
{code}
org.apache.geronimo.specs
geronimo-jms_1.1_spec
1.1.1
{code}
> Upgrade spring framework library dependencies
> -
>
> Key: FLUME-3131
> URL: https://issues.apache.org/jira/browse/FLUME-3131
> Project: Flume
> Issue Type: Bug
>Affects Versions: 1.7.0
>Reporter: Attila Simon
>Assignee: Ferenc Szabo
>Priority: Critical
> Labels: dependency
> Fix For: 1.8.0
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,|
> Security vulnerability:
> https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html
> Maven repositories:
> - https://mvnrepository.com/artifact/org.springframework/spring-aop
> - https://mvnrepository.com/artifact/org.springframework/spring-context
> - https://mvnrepository.com/artifact/org.springframework/spring-core
> Please do:
> - CVE might be a false alarm or mistake. Please double check.
> - double check the newest version.
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in
> which case please add this label `breaking_change` and fix version should be
> the next major)
> Excerpt from mvn dependency:tree
> {noformat}
> org.apache.flume.flume-ng-sources:flume-jms-source:jar:1.8.0-SNAPSHOT
> \- org.apache.activemq:activemq-core:jar:5.7.0:provided
>+- org.springframework:spring-context:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-aop:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-beans:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-core:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-expression:jar:3.0.7.RELEASE:provided
>| \- org.springframework:spring-asm:jar:3.0.7.RELEASE:provided
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
