[jira] [Commented] (FLUME-3131) Upgrade spring framework library dependencies

Thu, 24 Aug 2017 09:43:29 -0700 

    [ 
https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16140283#comment-16140283
 ] 

ASF subversion and git services commented on FLUME-3131:
--------------------------------------------------------

Commit aa1aea07b7e2bd25e28efdc262239ec501fbf086 in flume's branch 
refs/heads/trunk from [~fszabo]
[ https://git-wip-us.apache.org/repos/asf?p=flume.git;h=aa1aea0 ]

FLUME-3131. Upgrade Spring Framework library dependencies

The Spring Framework libraries are transitive depencencies through ActiveMQ
thus it's not possible to upgrade.
They are only used is tests so moved ActiveMQ to test scope.

This closes #153

Reviewers: Attila Simon, Denes Arvay

(Ferenc Szabo via Denes Arvay)


> Upgrade spring framework library dependencies
> ---------------------------------------------
>
>                 Key: FLUME-3131
>                 URL: https://issues.apache.org/jira/browse/FLUME-3131
>             Project: Flume
>          Issue Type: Bug
>    Affects Versions: 1.7.0
>            Reporter: Attila Simon
>            Assignee: Ferenc Szabo
>            Priority: Critical
>              Labels: dependency
>             Fix For: 1.8.0
>
>         Attachments: FLUME-3131-1.patch, FLUME-3131.patch
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,|
> Security vulnerability: 
> https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html
> Maven repositories: 
> - https://mvnrepository.com/artifact/org.springframework/spring-aop
> - https://mvnrepository.com/artifact/org.springframework/spring-context
> - https://mvnrepository.com/artifact/org.springframework/spring-core
> Please do:
> - CVE might be a false alarm or mistake. Please double check.
> - double check the newest version. 
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in 
> which case please add this label `breaking_change` and fix version should be 
> the next major)
> Excerpt from mvn dependency:tree
> {noformat}
> org.apache.flume.flume-ng-sources:flume-jms-source:jar:1.8.0-SNAPSHOT
> \- org.apache.activemq:activemq-core:jar:5.7.0:provided
>    +- org.springframework:spring-context:jar:3.0.7.RELEASE:provided
>    |  +- org.springframework:spring-aop:jar:3.0.7.RELEASE:provided
>    |  +- org.springframework:spring-beans:jar:3.0.7.RELEASE:provided
>    |  +- org.springframework:spring-core:jar:3.0.7.RELEASE:provided
>    |  +- org.springframework:spring-expression:jar:3.0.7.RELEASE:provided
>    |  \- org.springframework:spring-asm:jar:3.0.7.RELEASE:provided
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to