This is an automated email from the ASF dual-hosted git repository. yong pushed a commit to branch branch-4.15 in repository https://gitbox.apache.org/repos/asf/bookkeeper.git
commit fda9ba9a7f1d89641cefcc8a9125d344c03a514d Author: Hang Chen <[email protected]> AuthorDate: Mon Apr 17 11:28:47 2023 +0800 Remove avro, hadoop-auth and jersey-json dependencies from hadoop-common to resolve CVE-2019-10202, CVE-2023-1370 and CVE-2022-45685 (#3911) ### Motivation #### [CVE-2019-10202](https://www.cve.org/CVERecord?id=CVE-2019-10202) After upgrading the Hadoop version to 3.3.5, the CVE-2019-10202 still exists. Detailed paths Introduced through: org.apache.distributedlog:[email protected] › org.apache.hadoop:[email protected] › org.apache.avro:[email protected] › org.codehaus.jackson:[email protected] #### [CVE-2023-1370](https://www.cve.org/CVERecord?id=CVE-2023-1370) Detailed paths Introduced through: org.apache.distributedlog:[email protected] › org.apache.hadoop:[email protected] › org.apache.hadoop:[email protected] › net.minidev:[email protected] Fix: No remediation path available. #### [CVE-2022-45685](https://www.cve.org/CVERecord?id=CVE-2022-45685) Detailed paths Introduced through: org.apache.distributedlog:[email protected] › org.apache.hadoop:[email protected] › com.github.pjfanning:[email protected] › org.codehaus.jettison:[email protected] Fix: No remediation path available. After checking the code of package `org.apache.distributedlog.fs`, those classes only use `org.apache.hadoop.conf`, `org.apache.hadoop.fs` and `org.apache.hadoop.util` packages. They don't use any Avro-related, json-smart and jersey-json dependencies. It is safe to remove the those dependencies to resolve the CVE issue. https://github.com/apache/bookkeeper/tree/master/stream/distributedlog/io/dlfs/src/main/java/org/apache/distributedlog/fs ### Changes Exclude the Avro dependency from `hadoop-common` (cherry picked from commit 94e15b3dc0286de1dda1bd3989fd8b9de12e8d05) --- stream/distributedlog/io/dlfs/pom.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/stream/distributedlog/io/dlfs/pom.xml b/stream/distributedlog/io/dlfs/pom.xml index 761d390ecf..fb548e9575 100644 --- a/stream/distributedlog/io/dlfs/pom.xml +++ b/stream/distributedlog/io/dlfs/pom.xml @@ -58,6 +58,18 @@ <groupId>log4j</groupId> <artifactId>log4j</artifactId> </exclusion> + <exclusion> + <groupId>org.apache.avro</groupId> + <artifactId>avro</artifactId> + </exclusion> + <exclusion> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </exclusion> + <exclusion> + <groupId>com.github.pjfanning</groupId> + <artifactId>jersey-json</artifactId> + </exclusion> </exclusions> </dependency> <dependency>
