This is an automated email from the ASF dual-hosted git repository.
nicholasjiang pushed a commit to branch branch-0.6
in repository https://gitbox.apache.org/repos/asf/celeborn.git
The following commit(s) were added to refs/heads/branch-0.6 by this push:
new 8295bf36b [CELEBORN-2231] Upgrade jersey version to 2.47 to fix
CVE-2025-12383
8295bf36b is described below
commit 8295bf36b496e6b66bb0d0fa46a3922eaa14eb16
Author: Wang, Fei <[email protected]>
AuthorDate: Tue Dec 16 20:08:27 2025 +0800
[CELEBORN-2231] Upgrade jersey version to 2.47 to fix CVE-2025-12383
<!--
Thanks for sending a pull request! Here are some tips for you:
- Make sure the PR title start w/ a JIRA ticket, e.g. '[CELEBORN-XXXX]
Your PR title ...'.
- Be sure to keep the PR description updated to reflect all changes.
- Please write your PR title to summarize what this PR proposes.
- If possible, provide a concise example to reproduce the issue for a
faster review.
-->
### What changes were proposed in this pull request?
Upgrade jersey version to 2.47 to fix CVE-2025-12383
### Why are the changes needed?
to fix CVE-2025-12383
### Does this PR resolve a correctness bug?
<!-- Yes/No. (Note: If yes, committer will add `correctness` label to
current pull request). -->
No.
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
GA
Closes #3557 from turboFei/jersery.
Authored-by: Wang, Fei <[email protected]>
Signed-off-by: SteNicholas <[email protected]>
(cherry picked from commit 345cb3b6776412ea29a2c7a54ad1658bfc805afe)
Signed-off-by: SteNicholas <[email protected]>
---
dev/deps/dependencies-server | 18 +++++++++---------
pom.xml | 16 +++++++++++++++-
project/CelebornBuild.scala | 7 +++++--
3 files changed, 29 insertions(+), 12 deletions(-)
diff --git a/dev/deps/dependencies-server b/dev/deps/dependencies-server
index 3f9062e5c..3095350c1 100644
--- a/dev/deps/dependencies-server
+++ b/dev/deps/dependencies-server
@@ -52,17 +52,17 @@ jakarta.servlet-api/5.0.0//jakarta.servlet-api-5.0.0.jar
jakarta.validation-api/2.0.2//jakarta.validation-api-2.0.2.jar
jakarta.ws.rs-api/2.1.6//jakarta.ws.rs-api-2.1.6.jar
jakarta.xml.bind-api/2.3.3//jakarta.xml.bind-api-2.3.3.jar
-javassist/3.29.0-GA//javassist-3.29.0-GA.jar
+javassist/3.30.2-GA//javassist-3.30.2-GA.jar
javax.servlet-api/4.0.1//javax.servlet-api-4.0.1.jar
jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
-jersey-client/2.39.1//jersey-client-2.39.1.jar
-jersey-common/2.39.1//jersey-common-2.39.1.jar
-jersey-container-servlet-core/2.39.1//jersey-container-servlet-core-2.39.1.jar
-jersey-entity-filtering/2.39.1//jersey-entity-filtering-2.39.1.jar
-jersey-hk2/2.39.1//jersey-hk2-2.39.1.jar
-jersey-media-json-jackson/2.39.1//jersey-media-json-jackson-2.39.1.jar
-jersey-media-multipart/2.39.1//jersey-media-multipart-2.39.1.jar
-jersey-server/2.39.1//jersey-server-2.39.1.jar
+jersey-client/2.47//jersey-client-2.47.jar
+jersey-common/2.47//jersey-common-2.47.jar
+jersey-container-servlet-core/2.47//jersey-container-servlet-core-2.47.jar
+jersey-entity-filtering/2.47//jersey-entity-filtering-2.47.jar
+jersey-hk2/2.47//jersey-hk2-2.47.jar
+jersey-media-json-jackson/2.47//jersey-media-json-jackson-2.47.jar
+jersey-media-multipart/2.47//jersey-media-multipart-2.47.jar
+jersey-server/2.47//jersey-server-2.47.jar
jetty-client/9.4.58.v20250814//jetty-client-9.4.58.v20250814.jar
jetty-http/9.4.58.v20250814//jetty-http-9.4.58.v20250814.jar
jetty-io/9.4.58.v20250814//jetty-io-9.4.58.v20250814.jar
diff --git a/pom.xml b/pom.xml
index ab8df7d64..78aa6821d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -119,7 +119,7 @@
<!-- RESTful service dependencies -->
<swagger.version>2.2.1</swagger.version>
<swagger-ui.version>4.9.1</swagger-ui.version>
- <jersey.version>2.39.1</jersey.version>
+ <jersey.version>2.47</jersey.version>
<jetty.version>9.4.58.v20250814</jetty.version>
<javax.servlet-api.version>4.0.1</javax.servlet-api.version>
<!-- 6.0.0 requires JDK 11 -->
@@ -583,6 +583,20 @@
<groupId>org.glassfish.jersey.media</groupId>
<artifactId>jersey-media-json-jackson</artifactId>
<version>${jersey.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>com.fasterxml.jackson.core</groupId>
+ <artifactId>jackson-annotations</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.fasterxml.jackson.core</groupId>
+ <artifactId>jackson-databind</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.fasterxml.jackson.module</groupId>
+ <artifactId>jackson-module-jaxb-annotations</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
diff --git a/project/CelebornBuild.scala b/project/CelebornBuild.scala
index bf50e3253..a798c4ab5 100644
--- a/project/CelebornBuild.scala
+++ b/project/CelebornBuild.scala
@@ -78,7 +78,7 @@ object Dependencies {
val h2Version = "2.2.224"
val swaggerVersion = "2.2.1"
val swaggerUiVersion = "4.9.1"
- val jerseyVersion = "2.39.1"
+ val jerseyVersion = "2.47"
val jettyVersion = "9.4.58.v20250814"
val javaxServletApiVersion = "4.0.1"
val jakartaServeletApiVersion = "5.0.0"
@@ -195,7 +195,10 @@ object Dependencies {
ExclusionRule("jakarta.xml.bind", "jakarta.xml.bind-api"))
val jerseyContainerServletCore = "org.glassfish.jersey.containers" %
"jersey-container-servlet-core" % jerseyVersion
val jerseyHk2 = "org.glassfish.jersey.inject" % "jersey-hk2" % jerseyVersion
- val jerseyMediaJsonJackson = "org.glassfish.jersey.media" %
"jersey-media-json-jackson" % jerseyVersion
+ val jerseyMediaJsonJackson = "org.glassfish.jersey.media" %
"jersey-media-json-jackson" % jerseyVersion excludeAll(
+ ExclusionRule("com.fasterxml.jackson.core", "jackson-annotations"),
+ ExclusionRule("com.fasterxml.jackson.core", "jackson-databind"),
+ ExclusionRule("com.fasterxml.jackson.module",
"jackson-module-jaxb-annotations"))
val jerseyMediaMultipart = "org.glassfish.jersey.media" %
"jersey-media-multipart" % jerseyVersion
val swaggerJaxrs2 = "io.swagger.core.v3" % "swagger-jaxrs2" %swaggerVersion
excludeAll(
ExclusionRule("com.sun.activation", "jakarta.activation"),
