This is an automated email from the ASF dual-hosted git repository. sijie pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/bookkeeper.git
The following commit(s) were added to refs/heads/master by this push: new 40b0bd1 ISSUE #1767: security vulnerabilities in 3rd party dependencies 40b0bd1 is described below commit 40b0bd101dccd3cd9aefc8c3e915b34071ae1229 Author: Manjiri Tapaswi <mptap...@ncsu.edu> AuthorDate: Sat Nov 3 10:41:19 2018 -0700 ISSUE #1767: security vulnerabilities in 3rd party dependencies Descriptions of the changes in this PR: Upgraded jline and jackson to remove security vulnerabilities mentioned in #1767 ### Motivation Remove security vulnerabilities mentioned in #1767 ### Changes Upgraded jline and jackson 3rd party dependencies Master Issue: #1767 Reviewers: Enrico Olivelli <eolive...@gmail.com> This closes #1777 from mptap/fix-1767-remove-vulnerabilities, closes #1767 --- bookkeeper-dist/src/assemble/bin-all.xml | 2 +- bookkeeper-dist/src/assemble/bin-server.xml | 2 +- .../src/main/resources/LICENSE-all.bin.txt | 24 +++++++++++----------- .../src/main/resources/LICENSE-server.bin.txt | 12 +++++------ .../deps/{jline-0.9.94 => jline-2.11}/LICENSE | 4 +++- pom.xml | 18 +++++++++++++++- 6 files changed, 40 insertions(+), 22 deletions(-) diff --git a/bookkeeper-dist/src/assemble/bin-all.xml b/bookkeeper-dist/src/assemble/bin-all.xml index 7b047c4..c1d8b43 100644 --- a/bookkeeper-dist/src/assemble/bin-all.xml +++ b/bookkeeper-dist/src/assemble/bin-all.xml @@ -61,7 +61,7 @@ <include>netty-4.1.22.Final/*</include> <include>paranamer-2.8/LICENSE.txt</include> <include>protobuf-3.0.0/LICENSE</include> - <include>jline-0.9.94/LICENSE</include> + <include>jline-2.11/LICENSE</include> <include>protobuf-3.5.1/LICENSE</include> <include>scala-library-2.11.7/LICENSE.md</include> <include>scala-parser-combinators_2.11-1.0.4/LICENSE.md</include> diff --git a/bookkeeper-dist/src/assemble/bin-server.xml b/bookkeeper-dist/src/assemble/bin-server.xml index aa7d1b8..46054c7 100644 --- a/bookkeeper-dist/src/assemble/bin-server.xml +++ b/bookkeeper-dist/src/assemble/bin-server.xml @@ -53,7 +53,7 @@ <include>javax.servlet-api-3.1.0/CDDL+GPL-1.1</include> <include>netty-4.1.22.Final/*</include> <include>protobuf-3.0.0/LICENSE</include> - <include>jline-0.9.94/LICENSE</include> + <include>jline-2.11/LICENSE</include> <include>protobuf-3.5.1/LICENSE</include> <include>slf4j-1.7.25/LICENSE.txt</include> </includes> diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt index 0b181f1..748ca24 100644 --- a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt +++ b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt @@ -205,11 +205,11 @@ The following bundled 3rd party jars are distributed under the Apache Software License, Version 2. -- lib/com.fasterxml.jackson.core-jackson-annotations-2.8.9.jar [1] -- lib/com.fasterxml.jackson.core-jackson-core-2.8.9.jar [2] -- lib/com.fasterxml.jackson.core-jackson-databind-2.8.9.jar [3] -- lib/com.fasterxml.jackson.module-jackson-module-paranamer-2.8.4.jar [4] -- lib/com.fasterxml.jackson.module-jackson-module-scala_2.11-2.8.4.jar [5] +- lib/com.fasterxml.jackson.core-jackson-annotations-2.9.7.jar [1] +- lib/com.fasterxml.jackson.core-jackson-core-2.9.7.jar [2] +- lib/com.fasterxml.jackson.core-jackson-databind-2.9.7.jar [3] +- lib/com.fasterxml.jackson.module-jackson-module-paranamer-2.9.7.jar [4] +- lib/com.fasterxml.jackson.module-jackson-module-scala_2.11-2.9.7.jar [5] - lib/com.github.ben-manes.caffeine-caffeine-2.3.4.jar [9] - lib/com.google.guava-guava-21.0.jar [6] - lib/commons-cli-commons-cli-1.2.jar [7] @@ -300,11 +300,11 @@ Apache Software License, Version 2. - lib/com.google.errorprone-error_prone_annotations-2.1.2.jar [48] - lib/org.apache.yetus-audience-annotations-0.5.0.jar [49] -[1] Source available at https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.8.9 -[2] Source available at https://github.com/FasterXML/jackson-core/tree/jackson-core-2.8.9 -[3] Source available at https://github.com/FasterXML/jackson-databind/tree/jackson-databind-2.8.9 -[4] Source available at https://github.com/FasterXML/jackson-modules-base/tree/jackson-modules-base-2.8.4 -[5] Source available at https://github.com/FasterXML/jackson-module-scala/tree/f9e099 +[1] Source available at https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.9.7 +[2] Source available at https://github.com/FasterXML/jackson-core/tree/jackson-core-2.9.7 +[3] Source available at https://github.com/FasterXML/jackson-databind/tree/jackson-databind-2.9.7 +[4] Source available at https://github.com/FasterXML/jackson-modules-base/tree/jackson-modules-base-2.9.7 +[5] Source available at https://github.com/FasterXML/jackson-module-scala/tree/jackson-module-scala-2.9.7 [6] Source available at https://github.com/google/guava/tree/v21.0 [7] Source available at https://git-wip-us.apache.org/repos/asf?p=commons-cli.git;a=tag;h=bc8f0e [8] Source available at http://svn.apache.org/viewvc/commons/proper/codec/tags/1_6/ @@ -550,8 +550,8 @@ Bundled as Source available at https://github.com/google/google-auth-library-java/tree/0.9.0 ------------------------------------------------------------------------------------ This product bundles the JLine Library, which is available under a "2-clause BSD" -license. For details, see deps/jline-0.9.94/LICENSE +license. For details, see deps/jline-2.11/LICENSE Bundled as - - lib/jline-jline-0.9.94.jar + - lib/jline-jline-2.11.jar diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt index 6b630b4..bd023c8 100644 --- a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt +++ b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt @@ -205,9 +205,9 @@ The following bundled 3rd party jars are distributed under the Apache Software License, Version 2. -- lib/com.fasterxml.jackson.core-jackson-annotations-2.8.9.jar [1] -- lib/com.fasterxml.jackson.core-jackson-core-2.8.9.jar [2] -- lib/com.fasterxml.jackson.core-jackson-databind-2.8.9.jar [3] +- lib/com.fasterxml.jackson.core-jackson-annotations-2.9.7.jar [1] +- lib/com.fasterxml.jackson.core-jackson-core-2.9.7.jar [2] +- lib/com.fasterxml.jackson.core-jackson-databind-2.9.7.jar [3] - lib/com.google.guava-guava-21.0.jar [4] - lib/commons-cli-commons-cli-1.2.jar [5] - lib/commons-codec-commons-codec-1.6.jar [6] @@ -267,7 +267,7 @@ Apache Software License, Version 2. [1] Source available at https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.8.9 [2] Source available at https://github.com/FasterXML/jackson-core/tree/jackson-core-2.8.9 -[3] Source available at https://github.com/FasterXML/jackson-databind/tree/jackson-databind-2.8.9 +[3] Source available at https://github.com/FasterXML/jackson-databind/tree/jackson-databind-2.9.7 [4] Source available at https://github.com/google/guava/tree/v21.0 [5] Source available at https://git-wip-us.apache.org/repos/asf?p=commons-cli.git;a=tag;h=bc8f0e [6] Source available at http://svn.apache.org/viewvc/commons/proper/codec/tags/1_6/ @@ -438,7 +438,7 @@ Bundled as Source available at https://github.com/google/google-auth-library-java/tree/0.9.0 ------------------------------------------------------------------------------------ This product bundles the JLine Library, which is available under a "2-clause BSD" -license. For details, see deps/jline-0.9.94/LICENSE +license. For details, see deps/jline-2.11/LICENSE Bundled as - - lib/jline-jline-0.9.94.jar + - lib/jline-jline-2.11.jar diff --git a/bookkeeper-dist/src/main/resources/deps/jline-0.9.94/LICENSE b/bookkeeper-dist/src/main/resources/deps/jline-2.11/LICENSE similarity index 92% rename from bookkeeper-dist/src/main/resources/deps/jline-0.9.94/LICENSE rename to bookkeeper-dist/src/main/resources/deps/jline-2.11/LICENSE index 246f54f..9ef434e 100644 --- a/bookkeeper-dist/src/main/resources/deps/jline-0.9.94/LICENSE +++ b/bookkeeper-dist/src/main/resources/deps/jline-2.11/LICENSE @@ -1,6 +1,8 @@ -Copyright (c) 2002-2006, Marc Prud'hommeaux <m...@cornell.edu> +Copyright (c) 2002-2012, the original author or authors. All rights reserved. +http://www.opensource.org/licenses/bsd-license.php + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: diff --git a/pom.xml b/pom.xml index 95aaf73..8d43ecd 100644 --- a/pom.xml +++ b/pom.xml @@ -133,10 +133,11 @@ <hadoop.version>2.7.3</hadoop.version> <hamcrest.version>1.3</hamcrest.version> <hdrhistogram.version>2.1.10</hdrhistogram.version> - <jackson.version>2.8.9</jackson.version> + <jackson.version>2.9.7</jackson.version> <jackson-mapper-asl.version>1.9.11</jackson-mapper-asl.version> <jcommander.version>1.48</jcommander.version> <jetty.version>9.4.5.v20170502</jetty.version> + <jline.version>2.11</jline.version> <jmh.version>1.19</jmh.version> <jmock.version>2.8.2</jmock.version> <jna.version>3.2.7</jna.version> @@ -226,6 +227,11 @@ <artifactId>freebuilder</artifactId> <version>${freebuilder.version}</version> </dependency> + <dependency> + <groupId>jline</groupId> + <artifactId>jline</artifactId> + <version>${jline.version}</version> + </dependency> <!-- logging dependencies --> <dependency> @@ -321,6 +327,16 @@ <artifactId>jackson-annotations</artifactId> <version>${jackson.version}</version> </dependency> + <dependency> + <groupId>com.fasterxml.jackson.module</groupId> + <artifactId>jackson-module-paranamer</artifactId> + <version>${jackson.version}</version> + </dependency> + <dependency> + <groupId>com.fasterxml.jackson.module</groupId> + <artifactId>jackson-module-scala_2.11</artifactId> + <version>${jackson.version}</version> + </dependency> <!-- dependency needed for zookeeper jetty admin server --> <dependency> <groupId>org.codehaus.jackson</groupId>