This is an automated email from the ASF dual-hosted git repository.
sijie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git
The following commit(s) were added to refs/heads/master by this push:
new 40b0bd1 ISSUE #1767: security vulnerabilities in 3rd party
dependencies
40b0bd1 is described below
commit 40b0bd101dccd3cd9aefc8c3e915b34071ae1229
Author: Manjiri Tapaswi <mptap...@ncsu.edu>
AuthorDate: Sat Nov 3 10:41:19 2018 -0700
ISSUE #1767: security vulnerabilities in 3rd party dependencies
Descriptions of the changes in this PR:
Upgraded jline and jackson to remove security vulnerabilities mentioned in
#1767
### Motivation
Remove security vulnerabilities mentioned in #1767
### Changes
Upgraded jline and jackson 3rd party dependencies
Master Issue: #1767
Reviewers: Enrico Olivelli <eolive...@gmail.com>
This closes #1777 from mptap/fix-1767-remove-vulnerabilities, closes #1767
---
bookkeeper-dist/src/assemble/bin-all.xml | 2 +-
bookkeeper-dist/src/assemble/bin-server.xml | 2 +-
.../src/main/resources/LICENSE-all.bin.txt | 24 +++++++++++-----------
.../src/main/resources/LICENSE-server.bin.txt | 12 +++++------
.../deps/{jline-0.9.94 => jline-2.11}/LICENSE | 4 +++-
pom.xml | 18 +++++++++++++++-
6 files changed, 40 insertions(+), 22 deletions(-)
diff --git a/bookkeeper-dist/src/assemble/bin-all.xml
b/bookkeeper-dist/src/assemble/bin-all.xml
index 7b047c4..c1d8b43 100644
--- a/bookkeeper-dist/src/assemble/bin-all.xml
+++ b/bookkeeper-dist/src/assemble/bin-all.xml
@@ -61,7 +61,7 @@
<include>netty-4.1.22.Final/*</include>
<include>paranamer-2.8/LICENSE.txt</include>
<include>protobuf-3.0.0/LICENSE</include>
- <include>jline-0.9.94/LICENSE</include>
+ <include>jline-2.11/LICENSE</include>
<include>protobuf-3.5.1/LICENSE</include>
<include>scala-library-2.11.7/LICENSE.md</include>
<include>scala-parser-combinators_2.11-1.0.4/LICENSE.md</include>
diff --git a/bookkeeper-dist/src/assemble/bin-server.xml
b/bookkeeper-dist/src/assemble/bin-server.xml
index aa7d1b8..46054c7 100644
--- a/bookkeeper-dist/src/assemble/bin-server.xml
+++ b/bookkeeper-dist/src/assemble/bin-server.xml
@@ -53,7 +53,7 @@
<include>javax.servlet-api-3.1.0/CDDL+GPL-1.1</include>
<include>netty-4.1.22.Final/*</include>
<include>protobuf-3.0.0/LICENSE</include>
- <include>jline-0.9.94/LICENSE</include>
+ <include>jline-2.11/LICENSE</include>
<include>protobuf-3.5.1/LICENSE</include>
<include>slf4j-1.7.25/LICENSE.txt</include>
</includes>
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
index 0b181f1..748ca24 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
@@ -205,11 +205,11 @@
The following bundled 3rd party jars are distributed under the
Apache Software License, Version 2.
-- lib/com.fasterxml.jackson.core-jackson-annotations-2.8.9.jar [1]
-- lib/com.fasterxml.jackson.core-jackson-core-2.8.9.jar [2]
-- lib/com.fasterxml.jackson.core-jackson-databind-2.8.9.jar [3]
-- lib/com.fasterxml.jackson.module-jackson-module-paranamer-2.8.4.jar [4]
-- lib/com.fasterxml.jackson.module-jackson-module-scala_2.11-2.8.4.jar [5]
+- lib/com.fasterxml.jackson.core-jackson-annotations-2.9.7.jar [1]
+- lib/com.fasterxml.jackson.core-jackson-core-2.9.7.jar [2]
+- lib/com.fasterxml.jackson.core-jackson-databind-2.9.7.jar [3]
+- lib/com.fasterxml.jackson.module-jackson-module-paranamer-2.9.7.jar [4]
+- lib/com.fasterxml.jackson.module-jackson-module-scala_2.11-2.9.7.jar [5]
- lib/com.github.ben-manes.caffeine-caffeine-2.3.4.jar [9]
- lib/com.google.guava-guava-21.0.jar [6]
- lib/commons-cli-commons-cli-1.2.jar [7]
@@ -300,11 +300,11 @@ Apache Software License, Version 2.
- lib/com.google.errorprone-error_prone_annotations-2.1.2.jar [48]
- lib/org.apache.yetus-audience-annotations-0.5.0.jar [49]
-[1] Source available at
https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.8.9
-[2] Source available at
https://github.com/FasterXML/jackson-core/tree/jackson-core-2.8.9
-[3] Source available at
https://github.com/FasterXML/jackson-databind/tree/jackson-databind-2.8.9
-[4] Source available at
https://github.com/FasterXML/jackson-modules-base/tree/jackson-modules-base-2.8.4
-[5] Source available at
https://github.com/FasterXML/jackson-module-scala/tree/f9e099
+[1] Source available at
https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.9.7
+[2] Source available at
https://github.com/FasterXML/jackson-core/tree/jackson-core-2.9.7
+[3] Source available at
https://github.com/FasterXML/jackson-databind/tree/jackson-databind-2.9.7
+[4] Source available at
https://github.com/FasterXML/jackson-modules-base/tree/jackson-modules-base-2.9.7
+[5] Source available at
https://github.com/FasterXML/jackson-module-scala/tree/jackson-module-scala-2.9.7
[6] Source available at https://github.com/google/guava/tree/v21.0
[7] Source available at
https://git-wip-us.apache.org/repos/asf?p=commons-cli.git;a=tag;h=bc8f0e
[8] Source available at
http://svn.apache.org/viewvc/commons/proper/codec/tags/1_6/
@@ -550,8 +550,8 @@ Bundled as
Source available at
https://github.com/google/google-auth-library-java/tree/0.9.0
------------------------------------------------------------------------------------
This product bundles the JLine Library, which is available under a "2-clause
BSD"
-license. For details, see deps/jline-0.9.94/LICENSE
+license. For details, see deps/jline-2.11/LICENSE
Bundled as
- - lib/jline-jline-0.9.94.jar
+ - lib/jline-jline-2.11.jar
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
index 6b630b4..bd023c8 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
@@ -205,9 +205,9 @@
The following bundled 3rd party jars are distributed under the
Apache Software License, Version 2.
-- lib/com.fasterxml.jackson.core-jackson-annotations-2.8.9.jar [1]
-- lib/com.fasterxml.jackson.core-jackson-core-2.8.9.jar [2]
-- lib/com.fasterxml.jackson.core-jackson-databind-2.8.9.jar [3]
+- lib/com.fasterxml.jackson.core-jackson-annotations-2.9.7.jar [1]
+- lib/com.fasterxml.jackson.core-jackson-core-2.9.7.jar [2]
+- lib/com.fasterxml.jackson.core-jackson-databind-2.9.7.jar [3]
- lib/com.google.guava-guava-21.0.jar [4]
- lib/commons-cli-commons-cli-1.2.jar [5]
- lib/commons-codec-commons-codec-1.6.jar [6]
@@ -267,7 +267,7 @@ Apache Software License, Version 2.
[1] Source available at
https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.8.9
[2] Source available at
https://github.com/FasterXML/jackson-core/tree/jackson-core-2.8.9
-[3] Source available at
https://github.com/FasterXML/jackson-databind/tree/jackson-databind-2.8.9
+[3] Source available at
https://github.com/FasterXML/jackson-databind/tree/jackson-databind-2.9.7
[4] Source available at https://github.com/google/guava/tree/v21.0
[5] Source available at
https://git-wip-us.apache.org/repos/asf?p=commons-cli.git;a=tag;h=bc8f0e
[6] Source available at
http://svn.apache.org/viewvc/commons/proper/codec/tags/1_6/
@@ -438,7 +438,7 @@ Bundled as
Source available at
https://github.com/google/google-auth-library-java/tree/0.9.0
------------------------------------------------------------------------------------
This product bundles the JLine Library, which is available under a "2-clause
BSD"
-license. For details, see deps/jline-0.9.94/LICENSE
+license. For details, see deps/jline-2.11/LICENSE
Bundled as
- - lib/jline-jline-0.9.94.jar
+ - lib/jline-jline-2.11.jar
diff --git a/bookkeeper-dist/src/main/resources/deps/jline-0.9.94/LICENSE
b/bookkeeper-dist/src/main/resources/deps/jline-2.11/LICENSE
similarity index 92%
rename from bookkeeper-dist/src/main/resources/deps/jline-0.9.94/LICENSE
rename to bookkeeper-dist/src/main/resources/deps/jline-2.11/LICENSE
index 246f54f..9ef434e 100644
--- a/bookkeeper-dist/src/main/resources/deps/jline-0.9.94/LICENSE
+++ b/bookkeeper-dist/src/main/resources/deps/jline-2.11/LICENSE
@@ -1,6 +1,8 @@
-Copyright (c) 2002-2006, Marc Prud'hommeaux <m...@cornell.edu>
+Copyright (c) 2002-2012, the original author or authors.
All rights reserved.
+http://www.opensource.org/licenses/bsd-license.php
+
Redistribution and use in source and binary forms, with or
without modification, are permitted provided that the following
conditions are met:
diff --git a/pom.xml b/pom.xml
index 95aaf73..8d43ecd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -133,10 +133,11 @@
<hadoop.version>2.7.3</hadoop.version>
<hamcrest.version>1.3</hamcrest.version>
<hdrhistogram.version>2.1.10</hdrhistogram.version>
- <jackson.version>2.8.9</jackson.version>
+ <jackson.version>2.9.7</jackson.version>
<jackson-mapper-asl.version>1.9.11</jackson-mapper-asl.version>
<jcommander.version>1.48</jcommander.version>
<jetty.version>9.4.5.v20170502</jetty.version>
+ <jline.version>2.11</jline.version>
<jmh.version>1.19</jmh.version>
<jmock.version>2.8.2</jmock.version>
<jna.version>3.2.7</jna.version>
@@ -226,6 +227,11 @@
<artifactId>freebuilder</artifactId>
<version>${freebuilder.version}</version>
</dependency>
+ <dependency>
+ <groupId>jline</groupId>
+ <artifactId>jline</artifactId>
+ <version>${jline.version}</version>
+ </dependency>
<!-- logging dependencies -->
<dependency>
@@ -321,6 +327,16 @@
<artifactId>jackson-annotations</artifactId>
<version>${jackson.version}</version>
</dependency>
+ <dependency>
+ <groupId>com.fasterxml.jackson.module</groupId>
+ <artifactId>jackson-module-paranamer</artifactId>
+ <version>${jackson.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.fasterxml.jackson.module</groupId>
+ <artifactId>jackson-module-scala_2.11</artifactId>
+ <version>${jackson.version}</version>
+ </dependency>
<!-- dependency needed for zookeeper jetty admin server -->
<dependency>
<groupId>org.codehaus.jackson</groupId>
