This is an automated email from the ASF dual-hosted git repository. nicholasjiang pushed a commit to branch branch-0.6 in repository https://gitbox.apache.org/repos/asf/celeborn.git
commit 4db362613fc88eba0d1a2df9ef6fd74ebca13d96 Author: Wang, Fei <[email protected]> AuthorDate: Tue Dec 16 20:08:27 2025 +0800 [CELEBORN-2231] Upgrade jersey version to 2.47 to fix CVE-2025-12383 ### What changes were proposed in this pull request? Upgrade jersey version to 2.47 to fix CVE-2025-12383 ### Why are the changes needed? to fix CVE-2025-12383 ### Does this PR resolve a correctness bug? No. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? GA Closes #3557 from turboFei/jersery. Authored-by: Wang, Fei <[email protected]> Signed-off-by: SteNicholas <[email protected]> --- dev/deps/dependencies-server | 18 +++++++++--------- pom.xml | 16 +++++++++++++++- project/CelebornBuild.scala | 7 +++++-- 3 files changed, 29 insertions(+), 12 deletions(-) diff --git a/dev/deps/dependencies-server b/dev/deps/dependencies-server index 3f9062e5c..3095350c1 100644 --- a/dev/deps/dependencies-server +++ b/dev/deps/dependencies-server @@ -52,17 +52,17 @@ jakarta.servlet-api/5.0.0//jakarta.servlet-api-5.0.0.jar jakarta.validation-api/2.0.2//jakarta.validation-api-2.0.2.jar jakarta.ws.rs-api/2.1.6//jakarta.ws.rs-api-2.1.6.jar jakarta.xml.bind-api/2.3.3//jakarta.xml.bind-api-2.3.3.jar -javassist/3.29.0-GA//javassist-3.29.0-GA.jar +javassist/3.30.2-GA//javassist-3.30.2-GA.jar javax.servlet-api/4.0.1//javax.servlet-api-4.0.1.jar jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar -jersey-client/2.39.1//jersey-client-2.39.1.jar -jersey-common/2.39.1//jersey-common-2.39.1.jar -jersey-container-servlet-core/2.39.1//jersey-container-servlet-core-2.39.1.jar -jersey-entity-filtering/2.39.1//jersey-entity-filtering-2.39.1.jar -jersey-hk2/2.39.1//jersey-hk2-2.39.1.jar -jersey-media-json-jackson/2.39.1//jersey-media-json-jackson-2.39.1.jar -jersey-media-multipart/2.39.1//jersey-media-multipart-2.39.1.jar -jersey-server/2.39.1//jersey-server-2.39.1.jar +jersey-client/2.47//jersey-client-2.47.jar +jersey-common/2.47//jersey-common-2.47.jar +jersey-container-servlet-core/2.47//jersey-container-servlet-core-2.47.jar +jersey-entity-filtering/2.47//jersey-entity-filtering-2.47.jar +jersey-hk2/2.47//jersey-hk2-2.47.jar +jersey-media-json-jackson/2.47//jersey-media-json-jackson-2.47.jar +jersey-media-multipart/2.47//jersey-media-multipart-2.47.jar +jersey-server/2.47//jersey-server-2.47.jar jetty-client/9.4.58.v20250814//jetty-client-9.4.58.v20250814.jar jetty-http/9.4.58.v20250814//jetty-http-9.4.58.v20250814.jar jetty-io/9.4.58.v20250814//jetty-io-9.4.58.v20250814.jar diff --git a/pom.xml b/pom.xml index ab8df7d64..78aa6821d 100644 --- a/pom.xml +++ b/pom.xml @@ -119,7 +119,7 @@ <!-- RESTful service dependencies --> <swagger.version>2.2.1</swagger.version> <swagger-ui.version>4.9.1</swagger-ui.version> - <jersey.version>2.39.1</jersey.version> + <jersey.version>2.47</jersey.version> <jetty.version>9.4.58.v20250814</jetty.version> <javax.servlet-api.version>4.0.1</javax.servlet-api.version> <!-- 6.0.0 requires JDK 11 --> @@ -583,6 +583,20 @@ <groupId>org.glassfish.jersey.media</groupId> <artifactId>jersey-media-json-jackson</artifactId> <version>${jersey.version}</version> + <exclusions> + <exclusion> + <groupId>com.fasterxml.jackson.core</groupId> + <artifactId>jackson-annotations</artifactId> + </exclusion> + <exclusion> + <groupId>com.fasterxml.jackson.core</groupId> + <artifactId>jackson-databind</artifactId> + </exclusion> + <exclusion> + <groupId>com.fasterxml.jackson.module</groupId> + <artifactId>jackson-module-jaxb-annotations</artifactId> + </exclusion> + </exclusions> </dependency> <dependency> diff --git a/project/CelebornBuild.scala b/project/CelebornBuild.scala index bf50e3253..a798c4ab5 100644 --- a/project/CelebornBuild.scala +++ b/project/CelebornBuild.scala @@ -78,7 +78,7 @@ object Dependencies { val h2Version = "2.2.224" val swaggerVersion = "2.2.1" val swaggerUiVersion = "4.9.1" - val jerseyVersion = "2.39.1" + val jerseyVersion = "2.47" val jettyVersion = "9.4.58.v20250814" val javaxServletApiVersion = "4.0.1" val jakartaServeletApiVersion = "5.0.0" @@ -195,7 +195,10 @@ object Dependencies { ExclusionRule("jakarta.xml.bind", "jakarta.xml.bind-api")) val jerseyContainerServletCore = "org.glassfish.jersey.containers" % "jersey-container-servlet-core" % jerseyVersion val jerseyHk2 = "org.glassfish.jersey.inject" % "jersey-hk2" % jerseyVersion - val jerseyMediaJsonJackson = "org.glassfish.jersey.media" % "jersey-media-json-jackson" % jerseyVersion + val jerseyMediaJsonJackson = "org.glassfish.jersey.media" % "jersey-media-json-jackson" % jerseyVersion excludeAll( + ExclusionRule("com.fasterxml.jackson.core", "jackson-annotations"), + ExclusionRule("com.fasterxml.jackson.core", "jackson-databind"), + ExclusionRule("com.fasterxml.jackson.module", "jackson-module-jaxb-annotations")) val jerseyMediaMultipart = "org.glassfish.jersey.media" % "jersey-media-multipart" % jerseyVersion val swaggerJaxrs2 = "io.swagger.core.v3" % "swagger-jaxrs2" %swaggerVersion excludeAll( ExclusionRule("com.sun.activation", "jakarta.activation"),
