This is an automated email from the ASF dual-hosted git repository. imaxon pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/asterixdb.git
commit 359e5c259fdbc286ce3fecaebce68889588f09df Author: Hussain Towaileb <[email protected]> AuthorDate: Mon Aug 1 06:46:31 2022 +0300 [ASTERIXDB-3057][OTH]: Upgrade to jetty-util 9.4.48 to address CVEs Details: - CVEs: - https://nvd.nist.gov/vuln/detail/CVE-2022-2047 - https://nvd.nist.gov/vuln/detail/CVE-2022-2048 Change-Id: I98a042024a31208e074a074657457efba781306b Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17043 Reviewed-by: Hussain Towaileb <[email protected]> Reviewed-by: Michael Blow <[email protected]> Tested-by: Hussain Towaileb <[email protected]> --- asterixdb/asterix-external-data/pom.xml | 10 ++++ asterixdb/pom.xml | 74 ++++++++++++++++++++++++++ hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml | 14 +++++ hyracks-fullstack/pom.xml | 51 ++++++++++++++++++ 4 files changed, 149 insertions(+) diff --git a/asterixdb/asterix-external-data/pom.xml b/asterixdb/asterix-external-data/pom.xml index dbb23828c8..95ff315237 100644 --- a/asterixdb/asterix-external-data/pom.xml +++ b/asterixdb/asterix-external-data/pom.xml @@ -542,6 +542,16 @@ <groupId>io.netty</groupId> <artifactId>netty-transport-native-unix-common</artifactId> </dependency> + <!-- TODO(htowaileb): removed from hadoop transitively and added separately to avoid CVEs, can + be removed once upgraded to hadoop 3.3.4 as it addresses the CVEs --> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </dependency> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util-ajax</artifactId> + </dependency> </dependencies> <!-- apply patch for HADOOP-17225 to workaround CVE-2019-10172 --> <repositories> diff --git a/asterixdb/pom.xml b/asterixdb/pom.xml index 4d9d182155..cd90712d5a 100644 --- a/asterixdb/pom.xml +++ b/asterixdb/pom.xml @@ -1003,6 +1003,15 @@ <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> </exclusion> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util-ajax</artifactId> + </exclusion> </exclusions> </dependency> <dependency> @@ -1066,6 +1075,15 @@ <groupId>javax.ws.rs</groupId> <artifactId>jsr311-api</artifactId> </exclusion> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util-ajax</artifactId> + </exclusion> </exclusions> </dependency> <dependency> @@ -1109,6 +1127,15 @@ <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> </exclusion> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util-ajax</artifactId> + </exclusion> </exclusions> </dependency> <dependency> @@ -1136,6 +1163,11 @@ <groupId>org.jline</groupId> <artifactId>jline</artifactId> </exclusion> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> </exclusions> </dependency> <dependency> @@ -1174,6 +1206,15 @@ <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> </exclusion> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util-ajax</artifactId> + </exclusion> </exclusions> </dependency> <dependency> @@ -1198,6 +1239,15 @@ <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> </exclusion> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util-ajax</artifactId> + </exclusion> </exclusions> </dependency> <dependency> @@ -1939,8 +1989,32 @@ <groupId>org.apache.hadoop</groupId> <artifactId>hadoop-azure</artifactId> <version>${hadoop.version}</version> + <exclusions> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util-ajax</artifactId> + </exclusion> + </exclusions> </dependency> <!-- Hadoop Azure end --> + + <!-- TODO(htowaileb): removed from hadoop transitively and added separately to avoid CVEs, can + be removed once upgraded to hadoop 3.3.4 as it addresses the CVEs --> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + <version>9.4.48.v20220622</version> + </dependency> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util-ajax</artifactId> + <version>9.4.48.v20220622</version> + </dependency> </dependencies> </dependencyManagement> diff --git a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml index 985515ced8..b16904df1c 100644 --- a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml +++ b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml @@ -163,6 +163,15 @@ <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> </exclusion> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util-ajax</artifactId> + </exclusion> </exclusions> </dependency> <dependency> @@ -185,6 +194,11 @@ <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> </exclusion> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/hyracks-fullstack/pom.xml b/hyracks-fullstack/pom.xml index ccd1de5cbf..4345a1dcdf 100644 --- a/hyracks-fullstack/pom.xml +++ b/hyracks-fullstack/pom.xml @@ -181,6 +181,15 @@ <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> </exclusion> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util-ajax</artifactId> + </exclusion> </exclusions> </dependency> <dependency> @@ -196,6 +205,15 @@ <groupId>log4j</groupId> <artifactId>log4j</artifactId> </exclusion> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util-ajax</artifactId> + </exclusion> </exclusions> </dependency> <dependency> @@ -207,12 +225,28 @@ <groupId>log4j</groupId> <artifactId>log4j</artifactId> </exclusion> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util-ajax</artifactId> + </exclusion> </exclusions> </dependency> <dependency> <groupId>org.apache.hadoop</groupId> <artifactId>hadoop-mapreduce-client-core</artifactId> <version>${hadoop.version}</version> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusions> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> + </exclusions> </dependency> <dependency> <groupId>org.apache.hadoop</groupId> @@ -225,6 +259,11 @@ <groupId>log4j</groupId> <artifactId>log4j</artifactId> </exclusion> + <!-- TODO(htowaileb): Remove after updating to hadoop 3.3.4 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + </exclusion> </exclusions> </dependency> <dependency> @@ -414,6 +453,18 @@ <artifactId>snappy-java</artifactId> <version>${snappy.version}</version> </dependency> + <!-- TODO(htowaileb): removed from hadoop transitively and added separately to avoid CVEs, can + be removed once upgraded to hadoop 3.3.4 as it addresses the CVEs --> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + <version>9.4.48.v20220622</version> + </dependency> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util-ajax</artifactId> + <version>9.4.48.v20220622</version> + </dependency> </dependencies> </dependencyManagement> <build>
