[jira] [Comment Edited] (HADOOP-18587) upgrade to jettison 1.5.3 to fix CVE-2022-40150

Thu, 23 Mar 2023 12:47:06 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17703580#comment-17703580
 ] 

Andras Katona edited comment on HADOOP-18587 at 3/23/23 7:46 PM:
-----------------------------------------------------------------

It's not enough just to upgrade the version in dependency management. If 
jettison is coming only as transitive, whoever is pulling in that hadoop 
library, will still get the wrong jettison.
example:
hadoop-common
{noformat}
org.example:untitled:jar:1.0-SNAPSHOT
\- org.apache.hadoop:hadoop-common:jar:3.4.0-SNAPSHOT:compile
...
   +- com.github.pjfanning:jersey-json:jar:1.20:compile
   |  +- org.codehaus.jettison:jettison:jar:1.1:compile
...
{noformat}
When the module is a library (so it will be used outside of the actual 
project), the correct dependency must be declared as direct dependency (and 
optionally excluding from the dependency where it came from originally).


update: created a ticket for this, HADOOP-18676


was (Author: akatona):
It's not enough just to upgrade the version in dependency management. If 
jettison is coming only as transitive, whoever is pulling in that hadoop 
library, will still get the wrong jettison.
example:
hadoop-common
{noformat}
org.example:untitled:jar:1.0-SNAPSHOT
\- org.apache.hadoop:hadoop-common:jar:3.4.0-SNAPSHOT:compile
...
   +- com.github.pjfanning:jersey-json:jar:1.20:compile
   |  +- org.codehaus.jettison:jettison:jar:1.1:compile
...
{noformat}
When the module is a library (so it will be used outside of the actual 
project), the correct dependency must be declared as direct dependency (and 
optionally excluding from the dependency where it came from originally).


> upgrade to jettison 1.5.3 to fix CVE-2022-40150
> -----------------------------------------------
>
>                 Key: HADOOP-18587
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18587
>             Project: Hadoop Common
>          Issue Type: Task
>          Components: common
>            Reporter: PJ Fanning
>            Assignee: PJ Fanning
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.4.0, 3.3.5
>
>
> [https://github.com/advisories/GHSA-x27m-9w8j-5vcw]
>  
> [https://github.com/jettison-json/jettison/releases]
> v1.5.2 is flagged as fixing a CVE but a v1.5.3 was quickly released and 
> appears ti fix some regressions caused by v1.5.2.
> Many hadoop tests fail when jettison 1.5.2 is used.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to