This is an automated email from the ASF dual-hosted git repository.
elukey pushed a commit to branch branch-1.5
in repository https://gitbox.apache.org/repos/asf/bigtop.git
The following commit(s) were added to refs/heads/branch-1.5 by this push:
new a4131bb BIGTOP-3626: Upgrade ycsb and its log4j dependencies (#849)
a4131bb is described below
commit a4131bb6700cb9b66741feb56df8b1a1bbbcc6b6
Author: Luca Toscano <[email protected]>
AuthorDate: Sat Jan 8 11:45:54 2022 +0100
BIGTOP-3626: Upgrade ycsb and its log4j dependencies (#849)
At the time of writing upstream didn't release any official fix
for the lo4j CVEs, but brianfrankcooper/YCSB#1583 seems taking care of it.
Credits for the upstream fix: Filipe Oliveira <[email protected]>
This change also bumps ycsb to its latest upstream, to allow the log4j
patch to be applied cleanly.
---
bigtop-packages/src/common/ycsb/patch1-log4j.diff | 65 +++++++++++++++++++++++
bigtop.bom | 2 +-
2 files changed, 66 insertions(+), 1 deletion(-)
diff --git a/bigtop-packages/src/common/ycsb/patch1-log4j.diff
b/bigtop-packages/src/common/ycsb/patch1-log4j.diff
new file mode 100644
index 0000000..a3e0ce9
--- /dev/null
+++ b/bigtop-packages/src/common/ycsb/patch1-log4j.diff
@@ -0,0 +1,65 @@
+diff --git a/elasticsearch5/pom.xml b/elasticsearch5/pom.xml
+index 5d3ff06710..f10476cf05 100644
+--- a/elasticsearch5/pom.xml
++++ b/elasticsearch5/pom.xml
+@@ -165,12 +165,12 @@ LICENSE file.
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-api</artifactId>
+- <version>2.8.2</version>
++ <version>2.17.0</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-core</artifactId>
+- <version>2.8.2</version>
++ <version>2.17.0</version>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+diff --git a/ignite/pom.xml b/ignite/pom.xml
+index eabf8d67d9..7b3ed0d496 100644
+--- a/ignite/pom.xml
++++ b/ignite/pom.xml
+@@ -87,13 +87,13 @@ LICENSE file.
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-api</artifactId>
+- <version>2.11.0</version>
++ <version>2.17.0</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-core</artifactId>
+- <version>2.11.0</version>
++ <version>2.17.0</version>
+ </dependency>
+ </dependencies>
+ </project>
+diff --git a/voltdb/pom.xml b/voltdb/pom.xml
+index ab870853ad..6c8cbd2b74 100644
+--- a/voltdb/pom.xml
++++ b/voltdb/pom.xml
+@@ -44,17 +44,17 @@
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-api</artifactId>
+- <version>2.7</version>
++ <version>2.17.0</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-core</artifactId>
+- <version>2.7</version>
++ <version>2.17.0</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-slf4j-impl</artifactId>
+- <version>2.7</version>
++ <version>2.17.0</version>
+ </dependency>
+ <!-- https://mvnrepository.com/artifact/org.voltdb/voltdbclient
-->
+ <dependency>
+
diff --git a/bigtop.bom b/bigtop.bom
index 8730db9..240bc9c 100644
--- a/bigtop.bom
+++ b/bigtop.bom
@@ -371,7 +371,7 @@ bigtop {
'ycsb' {
name = 'ycsb'
relNotes = 'Yahoo! Cloud Serving Benchmark'
- version { base = '0.12.0'; pkg = base; release = 1 }
+ version { base = '0.17.0'; pkg = base; release = 2 }
tarball { destination = "$name-${version.base}.tar.gz"
source = "${version.base}.tar.gz" }
url { site = "https://github.com/brianfrankcooper/YCSB/archive";
