[jira] [Updated] (BEAM-9826) Update Tika to 1.24.1
[ https://issues.apache.org/jira/browse/BEAM-9826?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated BEAM-9826: -- Description: This task is to update Tika to 1.24.1 due to: [CVE-2020-9489] Denial of Service (DOS) Vulnerabilities in Some of Apache Tika's Parsers [https://www.openwall.com/lists/oss-security/2020/04/24/1] PR: [https://github.com/apache/beam/pull/11531] was: This task is to update Tika to 1.24.1 due to: [CVE-2020-9489] Denial of Service (DOS) Vulnerabilities in Some of Apache Tika's Parsers https://www.openwall.com/lists/oss-security/2020/04/24/1 > Update Tika to 1.24.1 > - > > Key: BEAM-9826 > URL: https://issues.apache.org/jira/browse/BEAM-9826 > Project: Beam > Issue Type: Improvement > Components: sdk-java-core >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > This task is to update Tika to 1.24.1 due to: > [CVE-2020-9489] Denial of Service (DOS) Vulnerabilities in Some of Apache > Tika's Parsers > [https://www.openwall.com/lists/oss-security/2020/04/24/1] > > PR: [https://github.com/apache/beam/pull/11531] > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (BEAM-9826) Update Tika to 1.24.1
Colm O hEigeartaigh created BEAM-9826: - Summary: Update Tika to 1.24.1 Key: BEAM-9826 URL: https://issues.apache.org/jira/browse/BEAM-9826 Project: Beam Issue Type: Improvement Components: sdk-java-core Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh This task is to update Tika to 1.24.1 due to: [CVE-2020-9489] Denial of Service (DOS) Vulnerabilities in Some of Apache Tika's Parsers https://www.openwall.com/lists/oss-security/2020/04/24/1 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (BEAM-9570) Update documentation to show how to use SerializableCoder more securely
[ https://issues.apache.org/jira/browse/BEAM-9570?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated BEAM-9570: -- Description: It's possible to make the use of SerializableCoder more secure by enforcing constraints on the deserialization process using jdk.serialFilter. This task is to update the documentation - from the mailing list: "With the JvmInitializer[1] being supported by Dataflow and the portable Java container, users would be able to write code which sets the system property jdk.serialFilter or by configuring ObjectInputFilter.Config.setSerialFilter(filter)[2]" This could become a documentation change to SerializableCoder. 1: [https://github.com/apache/beam/blob/master/sdks/java/core/src/main/java/org/apache/beam/sdk/harness/JvmInitializer.java] 2: [https://docs.oracle.com/javase/10/core/serialization-filtering1.htm#JSCOR-GUID-952E2328-AB66-4412-8B6B-3BCCB3195C25] Ref: https://lists.apache.org/thread.html/rc08d21215ed0f228331dcec88ecd5fe45d452e778fdc20a44c938f8e%40%3Cdev.beam.apache.org%3E was:It's possible to harden the deserialization process in SerializableCoder by enforcing that deserialization will only take place if the root object matches the type that the SerializableCoder is associated with. > Update documentation to show how to use SerializableCoder more securely > --- > > Key: BEAM-9570 > URL: https://issues.apache.org/jira/browse/BEAM-9570 > Project: Beam > Issue Type: Improvement > Components: sdk-java-core >Reporter: Colm O hEigeartaigh >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > It's possible to make the use of SerializableCoder more secure by enforcing > constraints on the deserialization process using jdk.serialFilter. This task > is to update the documentation - from the mailing list: > > "With the JvmInitializer[1] being supported by Dataflow and the portable Java > container, users would be able to write code which sets the system property > jdk.serialFilter or by configuring > ObjectInputFilter.Config.setSerialFilter(filter)[2]" > > This could become a documentation change to SerializableCoder. > 1: > [https://github.com/apache/beam/blob/master/sdks/java/core/src/main/java/org/apache/beam/sdk/harness/JvmInitializer.java] > 2: > [https://docs.oracle.com/javase/10/core/serialization-filtering1.htm#JSCOR-GUID-952E2328-AB66-4412-8B6B-3BCCB3195C25] > > Ref: > https://lists.apache.org/thread.html/rc08d21215ed0f228331dcec88ecd5fe45d452e778fdc20a44c938f8e%40%3Cdev.beam.apache.org%3E -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (BEAM-9570) Update documentation to show how to use SerializableCoder more securely
[ https://issues.apache.org/jira/browse/BEAM-9570?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reassigned BEAM-9570: - Assignee: (was: Colm O hEigeartaigh) > Update documentation to show how to use SerializableCoder more securely > --- > > Key: BEAM-9570 > URL: https://issues.apache.org/jira/browse/BEAM-9570 > Project: Beam > Issue Type: Improvement > Components: sdk-java-core >Reporter: Colm O hEigeartaigh >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > It's possible to harden the deserialization process in SerializableCoder by > enforcing that deserialization will only take place if the root object > matches the type that the SerializableCoder is associated with. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (BEAM-9570) Update documentation to show how to use SerializableCoder more securely
[ https://issues.apache.org/jira/browse/BEAM-9570?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated BEAM-9570: -- Summary: Update documentation to show how to use SerializableCoder more securely (was: Harden deserialization in SerializableCoder) > Update documentation to show how to use SerializableCoder more securely > --- > > Key: BEAM-9570 > URL: https://issues.apache.org/jira/browse/BEAM-9570 > Project: Beam > Issue Type: Improvement > Components: sdk-java-core >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > It's possible to harden the deserialization process in SerializableCoder by > enforcing that deserialization will only take place if the root object > matches the type that the SerializableCoder is associated with. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (BEAM-9570) Harden deserialization in SerializableCoder
Colm O hEigeartaigh created BEAM-9570: - Summary: Harden deserialization in SerializableCoder Key: BEAM-9570 URL: https://issues.apache.org/jira/browse/BEAM-9570 Project: Beam Issue Type: Improvement Components: sdk-java-core Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh It's possible to harden the deserialization process in SerializableCoder by enforcing that deserialization will only take place if the root object matches the type that the SerializableCoder is associated with. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (BEAM-8924) Beam Dependency Update Request: org.apache.tika
[ https://issues.apache.org/jira/browse/BEAM-8924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17062335#comment-17062335 ] Colm O hEigeartaigh commented on BEAM-8924: --- This issue can be resolved as "fixed". I don't have the permissions to do so. > Beam Dependency Update Request: org.apache.tika > --- > > Key: BEAM-8924 > URL: https://issues.apache.org/jira/browse/BEAM-8924 > Project: Beam > Issue Type: Bug > Components: dependencies >Reporter: Beam JIRA Bot >Assignee: Colm O hEigeartaigh >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > - 2019-12-09 12:20:19.972138 > - > Please consider upgrading the dependency org.apache.tika. > The current version is None. The latest version is None > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (BEAM-8924) Beam Dependency Update Request: org.apache.tika
[ https://issues.apache.org/jira/browse/BEAM-8924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reassigned BEAM-8924: - Assignee: Colm O hEigeartaigh > Beam Dependency Update Request: org.apache.tika > --- > > Key: BEAM-8924 > URL: https://issues.apache.org/jira/browse/BEAM-8924 > Project: Beam > Issue Type: Bug > Components: dependencies >Reporter: Beam JIRA Bot >Assignee: Colm O hEigeartaigh >Priority: Major > > - 2019-12-09 12:20:19.972138 > - > Please consider upgrading the dependency org.apache.tika. > The current version is None. The latest version is None > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (BEAM-8925) Beam Dependency Update Request: org.apache.tika:tika-core
[ https://issues.apache.org/jira/browse/BEAM-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reassigned BEAM-8925: - Assignee: (was: Colm O hEigeartaigh) > Beam Dependency Update Request: org.apache.tika:tika-core > - > > Key: BEAM-8925 > URL: https://issues.apache.org/jira/browse/BEAM-8925 > Project: Beam > Issue Type: Sub-task > Components: dependencies >Reporter: Beam JIRA Bot >Priority: Major > > - 2019-12-09 12:20:22.212496 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. > - 2019-12-23 12:20:53.356760 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. > - 2019-12-30 14:15:58.081400 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. > - 2020-01-06 12:19:33.456649 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. > - 2020-01-13 12:18:38.940974 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. > - 2020-01-20 12:16:03.428169 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. > - 2020-01-27 12:17:01.302466 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (BEAM-8925) Beam Dependency Update Request: org.apache.tika:tika-core
[ https://issues.apache.org/jira/browse/BEAM-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reassigned BEAM-8925: - Assignee: Colm O hEigeartaigh > Beam Dependency Update Request: org.apache.tika:tika-core > - > > Key: BEAM-8925 > URL: https://issues.apache.org/jira/browse/BEAM-8925 > Project: Beam > Issue Type: Sub-task > Components: dependencies >Reporter: Beam JIRA Bot >Assignee: Colm O hEigeartaigh >Priority: Major > > - 2019-12-09 12:20:22.212496 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. > - 2019-12-23 12:20:53.356760 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. > - 2019-12-30 14:15:58.081400 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. > - 2020-01-06 12:19:33.456649 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. > - 2020-01-13 12:18:38.940974 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. > - 2020-01-20 12:16:03.428169 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. > - 2020-01-27 12:17:01.302466 > - > Please consider upgrading the dependency org.apache.tika:tika-core. > The current version is 1.20. The latest version is 1.23 > cc: > Please refer to [Beam Dependency Guide > |https://beam.apache.org/contribute/dependencies/]for more information. > Do Not Modify The Description Above. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (BEAM-8861) Disallow self-signed certs by default
Colm O hEigeartaigh created BEAM-8861: - Summary: Disallow self-signed certs by default Key: BEAM-8861 URL: https://issues.apache.org/jira/browse/BEAM-8861 Project: Beam Issue Type: Improvement Components: io-java-elasticsearch Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh The elasticsearch component allows self-signed certs by default, which is not secure. It should reject them by default - I'll add a PR for this with a configuration option to enable the old behaviour. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (BEAM-6425) Replace SSLContext.getInstance("SSL")
Colm O hEigeartaigh created BEAM-6425: - Summary: Replace SSLContext.getInstance("SSL") Key: BEAM-6425 URL: https://issues.apache.org/jira/browse/BEAM-6425 Project: Beam Issue Type: Improvement Components: io-java-mongodb Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh SSLUtils has an instance of: SSLContext.getInstance("SSL") Instead we should use "TLS" here. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (BEAM-5771) PreCommits should support a flag to not run GCP tests
[ https://issues.apache.org/jira/browse/BEAM-5771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16653628#comment-16653628 ] Colm O hEigeartaigh commented on BEAM-5771: --- +1 to have a task which would build and run all Java tests without running the GCP specific tests. > PreCommits should support a flag to not run GCP tests > - > > Key: BEAM-5771 > URL: https://issues.apache.org/jira/browse/BEAM-5771 > Project: Beam > Issue Type: Bug > Components: build-system >Affects Versions: 2.8.0 >Reporter: Alan Myrvold >Assignee: Alan Myrvold >Priority: Major > > From [~swegner] > There was some discussion recently about ensuring anyone can easily run and > reproduce precommit test results locally. The precommits run Dataflow jobs, > which will fail if you don't have access to an Google Cloud project. One idea > would be to add a flag to disable Google Cloud tests, i.e. ./gradlew > :javaPreCommit -PdisableGcpTests > @sweg -- This message was sent by Atlassian JIRA (v7.6.3#76005)