This is an automated email from the ASF dual-hosted git repository. mblow pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/asterixdb.git
commit aedda3544b52a3b3baebbab24e63d6273c0bbc59 Author: Hussain Towaileb <[email protected]> AuthorDate: Mon May 22 04:45:42 2023 +0300 [NO ISSUE][*DB]: Update smart-json to avoid encountered CVE Details: - This change updates smart-json to avoid CVE-2023-1370: json-smart 2.4.7 -> 2.4.11 Change-Id: I6cceff58ae80042c1421de4acb97dbfa3549168a Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17548 Integration-Tests: Jenkins <[email protected]> Tested-by: Jenkins <[email protected]> Reviewed-by: Hussain Towaileb <[email protected]> Reviewed-by: Michael Blow <[email protected]> --- asterixdb/asterix-external-data/pom.xml | 5 +++++ asterixdb/asterix-server/pom.xml | 2 +- asterixdb/pom.xml | 12 ++++++++++++ .../src/main/appended-resources/supplemental-models.xml | 14 +++++++------- hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml | 4 ++++ hyracks-fullstack/pom.xml | 10 ++++++++++ 6 files changed, 39 insertions(+), 8 deletions(-) diff --git a/asterixdb/asterix-external-data/pom.xml b/asterixdb/asterix-external-data/pom.xml index 068e294fec..f8a4401186 100644 --- a/asterixdb/asterix-external-data/pom.xml +++ b/asterixdb/asterix-external-data/pom.xml @@ -546,6 +546,11 @@ <groupId>org.eclipse.jetty</groupId> <artifactId>jetty-util-ajax</artifactId> </dependency> + <!-- Manually included to avoid CVE-2023-1370 --> + <dependency> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </dependency> </dependencies> <!-- apply patch for HADOOP-17225 to workaround CVE-2019-10172 --> <repositories> diff --git a/asterixdb/asterix-server/pom.xml b/asterixdb/asterix-server/pom.xml index fb1c2f16cc..2ab0e5f2a2 100644 --- a/asterixdb/asterix-server/pom.xml +++ b/asterixdb/asterix-server/pom.xml @@ -309,7 +309,7 @@ <url>https://raw.githubusercontent.com/codehaus/stax/master/dev/ASF2.0.txt</url> </override> <override> - <gav>org.ow2.asm:asm:9.1</gav> + <gav>org.ow2.asm:asm:9.3</gav> <url>https://raw.githubusercontent.com/llbit/ow2-asm/master/LICENSE.txt</url> </override> <override> diff --git a/asterixdb/pom.xml b/asterixdb/pom.xml index 45f1986569..3610b19ee9 100644 --- a/asterixdb/pom.xml +++ b/asterixdb/pom.xml @@ -1019,6 +1019,10 @@ <artifactId>hadoop-common</artifactId> <version>${hadoop.version}</version> <exclusions> + <exclusion> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </exclusion> <exclusion> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> @@ -1111,6 +1115,10 @@ <version>${hadoop.version}</version> <classifier>tests</classifier> <exclusions> + <exclusion> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </exclusion> <exclusion> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> @@ -1644,6 +1652,10 @@ <artifactId>azure-identity</artifactId> <version>1.4.1</version> <exclusions> + <exclusion> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </exclusion> <exclusion> <groupId>io.netty</groupId> <artifactId>netty-handler</artifactId> diff --git a/asterixdb/src/main/appended-resources/supplemental-models.xml b/asterixdb/src/main/appended-resources/supplemental-models.xml index 18508ef66a..1a97cbfef9 100644 --- a/asterixdb/src/main/appended-resources/supplemental-models.xml +++ b/asterixdb/src/main/appended-resources/supplemental-models.xml @@ -1090,8 +1090,8 @@ <groupId>net.minidev</groupId> <artifactId>json-smart</artifactId> <properties> - <license.ignoreMissingEmbeddedLicense>2.4.7</license.ignoreMissingEmbeddedLicense> - <license.ignoreMissingEmbeddedNotice>2.4.7</license.ignoreMissingEmbeddedNotice> + <license.ignoreMissingEmbeddedLicense>2.4.11</license.ignoreMissingEmbeddedLicense> + <license.ignoreMissingEmbeddedNotice>2.4.11</license.ignoreMissingEmbeddedNotice> </properties> </project> </supplement> @@ -1102,8 +1102,8 @@ <groupId>net.minidev</groupId> <artifactId>accessors-smart</artifactId> <properties> - <license.ignoreMissingEmbeddedLicense>2.4.7</license.ignoreMissingEmbeddedLicense> - <license.ignoreMissingEmbeddedNotice>2.4.7</license.ignoreMissingEmbeddedNotice> + <license.ignoreMissingEmbeddedLicense>2.4.11</license.ignoreMissingEmbeddedLicense> + <license.ignoreMissingEmbeddedNotice>2.4.11</license.ignoreMissingEmbeddedNotice> </properties> </project> </supplement> @@ -1113,9 +1113,9 @@ <groupId>org.ow2.asm</groupId> <artifactId>asm</artifactId> <properties> - <license.ignoreMissingEmbeddedLicense>9.1</license.ignoreMissingEmbeddedLicense> - <license.ignoreMissingEmbeddedNotice>9.1</license.ignoreMissingEmbeddedNotice> - <license.ignoreLicenseOverride>9.1</license.ignoreLicenseOverride> + <license.ignoreMissingEmbeddedLicense>9.3</license.ignoreMissingEmbeddedLicense> + <license.ignoreMissingEmbeddedNotice>9.3</license.ignoreMissingEmbeddedNotice> + <license.ignoreLicenseOverride>9.3</license.ignoreLicenseOverride> </properties> </project> </supplement> diff --git a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml index b16904df1c..816746cfca 100644 --- a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml +++ b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml @@ -182,6 +182,10 @@ <classifier>tests</classifier> <scope>test</scope> <exclusions> + <exclusion> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </exclusion> <exclusion> <groupId>log4j</groupId> <artifactId>log4j</artifactId> diff --git a/hyracks-fullstack/pom.xml b/hyracks-fullstack/pom.xml index 69a82799b5..9ef0212060 100644 --- a/hyracks-fullstack/pom.xml +++ b/hyracks-fullstack/pom.xml @@ -155,6 +155,10 @@ <artifactId>hadoop-common</artifactId> <version>${hadoop.version}</version> <exclusions> + <exclusion> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </exclusion> <exclusion> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> @@ -472,6 +476,12 @@ <artifactId>jetty-util-ajax</artifactId> <version>9.4.48.v20220622</version> </dependency> + <!-- Manually included to avoid CVE-2023-1370 --> + <dependency> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + <version>2.4.11</version> + </dependency> </dependencies> </dependencyManagement> <build>
