Hello again!

I have prepared a patch that bumps some dependencies to their latest
versions: https://issues.apache.org/jira/browse/IGNITE-12540

Please consider its inclusion to 2.8, and provide review if you are
positive.

Regards,
-- 
Ilya Kasnacheev


вт, 31 дек. 2019 г. в 15:54, Ilya Kasnacheev <ilya.kasnach...@gmail.com>:

> Hello!
>
> I have ran dependency checker plugin and quote the following:
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-urideploy:
> One or more dependencies were identified with known vulnerabilities in
> ignite-spring:
> One or more dependencies were identified with known vulnerabilities in
> ignite-spring-data:
> One or more dependencies were identified with known vulnerabilities in
> ignite-aop:
> One or more dependencies were identified with known vulnerabilities in
> ignite-visor-console:
>
> spring-core-4.3.18.RELEASE.jar
> (pkg:maven/org.springframework/spring-core@4.3.18.RELEASE,
> cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*) :
> CVE-2018-15756
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-spring-data_2.0:
>
> spring-core-5.0.8.RELEASE.jar
> (pkg:maven/org.springframework/spring-core@5.0.8.RELEASE,
> cpe:2.3:a:pivotal_software:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> cpe:2.3:a:springsource:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> cpe:2.3:a:vmware:springsource_spring_framework:5.0.8:*:*:*:*:*:*:*) :
> CVE-2018-15756
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-rest-http:
>
> jetty-server-9.4.11.v20180605.jar
> (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> jackson-databind-2.9.6.jar
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-kubernetes:
> One or more dependencies were identified with known vulnerabilities in
> ignite-aws:
>
> jackson-databind-2.9.6.jar
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> bcprov-ext-jdk15on-1.54.jar
> (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.54) : CVE-2015-6644,
> CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341,
> CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345,
> CVE-2016-1000346, CVE-2016-1000352, CVE-2016-2427, CVE-2017-13098,
> CVE-2018-1000180, CVE-2018-1000613
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-gce:
>
> httpclient-4.0.1.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.0.1,
> cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*) : CVE-2011-1498,
> CVE-2014-3577, CVE-2015-5262
> guava-jdk5-17.0.jar (pkg:maven/com.google.guava/guava-jdk5@17.0,
> cpe:2.3:a:google:guava:17.0:*:*:*:*:*:*:*) : CVE-2018-10237
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-cloud:
>
> openstack-keystone-2.0.0.jar
> (pkg:maven/org.apache.jclouds.api/openstack-keystone@2.0.0,
> cpe:2.3:a:openstack:keystone:2.0.0:*:*:*:*:*:*:*,
> cpe:2.3:a:openstack:openstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2014,
> CVE-2013-4222, CVE-2013-6391, CVE-2014-0204, CVE-2014-3476, CVE-2014-3520,
> CVE-2014-3621, CVE-2015-3646, CVE-2015-7546, CVE-2018-14432, CVE-2018-20170
> cloudstack-2.0.0.jar (pkg:maven/org.apache.jclouds.api/cloudstack@2.0.0,
> cpe:2.3:a:apache:cloudstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2136,
> CVE-2013-6398, CVE-2014-0031, CVE-2014-9593, CVE-2015-3252
> docker-2.0.0.jar (pkg:maven/org.apache.jclouds.api/docker@2.0.0,
> cpe:2.3:a:docker:docker:2.0.0:*:*:*:*:*:*:*) : CVE-2018-10892,
> CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, CVE-2019-16884,
> CVE-2019-5736
> guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> docker-1.9.3.jar (pkg:maven/org.apache.jclouds.labs/docker@1.9.3,
> cpe:2.3:a:docker:docker:1.9.3:*:*:*:*:*:*:*) : CVE-2016-3697,
> CVE-2017-14992, CVE-2019-13139, CVE-2019-13509, CVE-2019-15752,
> CVE-2019-16884, CVE-2019-5736
> jsch.agentproxy.core-0.0.8.jar
> (pkg:maven/com.jcraft/jsch.agentproxy.core@0.0.8,
> cpe:2.3:a:jcraft:jsch:0.0.8:*:*:*:*:*:*:*) : CVE-2016-5725
> bcprov-ext-jdk15on-1.49.jar
> (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.49) : CVE-2015-6644,
> CVE-2015-7940, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000341,
> CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345,
> CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000613
> okhttp-2.2.0.jar (pkg:maven/com.squareup.okhttp/okhttp@2.2.0,
> cpe:2.3:a:squareup:okhttp:2.2.0:*:*:*:*:*:*:*) : CVE-2016-2402
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-mesos:
>
> mesos-1.5.0.jar (pkg:maven/org.apache.mesos/mesos@1.5.0,
> cpe:2.3:a:apache:mesos:1.5.0:*:*:*:*:*:*:*) : CVE-2018-11793,
> CVE-2018-1330, CVE-2018-8023, CVE-2019-0204, CVE-2019-5736
> jetty-server-9.4.11.v20180605.jar
> (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> jackson-databind-2.9.6.jar
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-kafka:
>
> kafka-clients-2.0.1.jar (pkg:maven/org.apache.kafka/kafka-clients@2.0.1,
> cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> connect-api-2.0.1.jar (pkg:maven/org.apache.kafka/connect-api@2.0.1,
> cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-flume:
>
> guava-11.0.2.jar (pkg:maven/com.google.guava/guava@11.0.2,
> cpe:2.3:a:google:guava:11.0.2:*:*:*:*:*:*:*) : CVE-2018-10237
> jackson-core-asl-1.8.8.jar
> (pkg:maven/org.codehaus.jackson/jackson-core-asl@1.8.8,
> cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*) : CVE-2017-15095,
> CVE-2017-17485, CVE-2017-7525
> jackson-mapper-asl-1.8.8.jar
> (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.8.8,
> cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*) :
> CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-14540,
> CVE-2019-16335, CVE-2019-17267
> commons-collections-3.2.1.jar
> (pkg:maven/commons-collections/commons-collections@3.2.1,
> cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) : CVE-2015-6420,
> CVE-2017-15708, Remote code execution
> netty-3.9.4.Final.jar (pkg:maven/io.netty/netty@3.9.4.Final,
> cpe:2.3:a:netty:netty:3.9.4:*:*:*:*:*:*:*) : CVE-2015-2156, CVE-2019-16869,
> POODLE vulnerability in SSLv3.0 support
> servlet-api-2.5-20110124.jar
> (pkg:maven/org.mortbay.jetty/servlet-api@2.5-20110124,
> cpe:2.3:a:jetty:jetty:2.5.20110124:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay:jetty:2.5.20110124:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:2.5.20110124:*:*:*:*:*:*:*) : CVE-2005-3747,
> CVE-2007-5615, CVE-2009-1523, CVE-2009-1524, CVE-2009-5048, CVE-2009-5049,
> CVE-2011-4461
> jetty-util-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty-util@6.1.26,
> cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> CVE-2011-4461
> jetty-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty@6.1.26,
> cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> CVE-2011-4461, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735,
> CVE-2019-10241, CVE-2019-10247
> libthrift-0.9.0.jar (pkg:maven/org.apache.thrift/libthrift@0.9.0) :
> CVE-2015-3254, CVE-2016-5397, CVE-2018-1320, CVE-2019-0205
> httpclient-4.1.3.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.1.3,
> cpe:2.3:a:apache:httpclient:4.1.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> CVE-2015-5262
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-twitter:
>
> httpclient-4.2.5.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.2.5,
> cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577,
> CVE-2015-5262
> guava-14.0.1.jar (pkg:maven/com.google.guava/guava@14.0.1,
> cpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-zookeeper:
>
> jackson-databind-2.9.8.jar
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8,
> cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*) : CVE-2019-12086,
> CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> CVE-2019-17267, CVE-2019-17531
> guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> jackson-mapper-asl-1.9.13.jar
> (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13,
> cpe:2.3:a:fasterxml:jackson:1.9.13:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*) :
> CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-10172,
> CVE-2019-14540, CVE-2019-16335, CVE-2019-17267
> netty-all-4.1.29.Final.jar (pkg:maven/io.netty/netty-all@4.1.29.Final,
> cpe:2.3:a:netty:netty:4.1.29:*:*:*:*:*:*:*) : CVE-2019-16869
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-camel:
>
> camel-core-2.22.0.jar (pkg:maven/org.apache.camel/camel-core@2.22.0,
> cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> CVE-2019-0188, CVE-2019-0194
> camel-core-2.22.0.jar/META-INF/maven/org.apache.camel/spi-annotations/pom.xml
> (pkg:maven/org.apache.camel/spi-annotations@2.22.0,
> cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> CVE-2019-0188, CVE-2019-0194
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-storm:
>
> storm-core-1.1.1.jar (pkg:maven/org.apache.storm/storm-core@1.1.1,
> cpe:2.3:a:apache:storm:1.1.1:*:*:*:*:*:*:*) : CVE-2018-11779,
> CVE-2018-1331, CVE-2018-1332, CVE-2018-8008, CVE-2019-0202
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
> (pkg:maven/org.eclipse.jetty/jetty-servlet@7.6.13.v20130916,
> cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2019-10247
> storm-core-1.1.1.jar/META-INF/maven/org.apache.httpcomponents/httpclient/pom.xml
> (pkg:maven/org.apache.httpcomponents/httpclient@4.3.3,
> cpe:2.3:a:apache:httpclient:4.3.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> CVE-2015-5262
> storm-core-1.1.1.jar/META-INF/maven/com.google.guava/guava/pom.xml
> (pkg:maven/com.google.guava/guava@16.0.1,
> cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> storm-core-1.1.1.jar/META-INF/maven/io.netty/netty/pom.xml
> (pkg:maven/io.netty/netty@3.9.0.Final,
> cpe:2.3:a:netty:netty:3.9.0:*:*:*:*:*:*:*) : CVE-2014-0193, CVE-2014-3488,
> CVE-2015-2156, CVE-2019-16869, POODLE vulnerability in SSLv3.0 support
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
> (pkg:maven/org.eclipse.jetty/jetty-server@7.6.13.v20130916,
> cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2011-4461,
> CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2019-10241,
> CVE-2019-10247
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
> (pkg:maven/org.eclipse.jetty/jetty-util@7.6.13.v20130916,
> cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2011-4461,
> CVE-2019-10247
> storm-core-1.1.1.jar/META-INF/maven/commons-fileupload/commons-fileupload/pom.xml
> (pkg:maven/commons-fileupload/commons-fileupload@1.3.2,
> cpe:2.3:a:apache:commons_fileupload:1.3.2:*:*:*:*:*:*:*) : CVE-2016-1000031
> storm-core-1.1.1.jar/META-INF/maven/org.apache.hadoop/hadoop-auth/pom.xml
> (pkg:maven/org.apache.hadoop/hadoop-auth@2.6.1,
> cpe:2.3:a:apache:hadoop:2.6.1:*:*:*:*:*:*:*) : CVE-2015-1776,
> CVE-2016-3086, CVE-2016-5001, CVE-2016-5393, CVE-2016-6811, CVE-2017-15713,
> CVE-2017-3161, CVE-2017-3162, CVE-2017-3166, CVE-2018-11768, CVE-2018-1296,
> CVE-2018-8009, CVE-2018-8029
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-cassandra-store:
> One or more dependencies were identified with known vulnerabilities in
> ignite-cassandra-serializers:
>
> commons-beanutils-1.9.2.jar
> (pkg:maven/commons-beanutils/commons-beanutils@1.9.2,
> cpe:2.3:a:apache:commons_beanutils:1.9.2:*:*:*:*:*:*:*) : CVE-2019-10086
> commons-collections-3.2.1.jar
> (pkg:maven/commons-collections/commons-collections@3.2.1,
> cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) : CVE-2015-6420,
> CVE-2017-15708, Remote code execution
> spring-core-4.3.18.RELEASE.jar
> (pkg:maven/org.springframework/spring-core@4.3.18.RELEASE,
> cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*) :
> CVE-2018-15756
> netty-transport-4.1.27.Final.jar
> (pkg:maven/io.netty/netty-transport@4.1.27.Final,
> cpe:2.3:a:netty:netty:4.1.27:*:*:*:*:*:*:*) : CVE-2019-16869
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-flink:
>
> flink-hadoop-fs-1.5.0.jar (pkg:maven/org.apache.flink/flink-hadoop-fs@1.5.0,
> cpe:2.3:a:apache:hadoop:1.5.0:*:*:*:*:*:*:*) : CVE-2016-5001,
> CVE-2017-3161, CVE-2017-3162
> flink-shaded-netty-4.0.27.Final-2.0.jar/META-INF/maven/io.netty/netty-all/pom.xml
> (pkg:maven/io.netty/netty-all@4.0.27.Final,
> cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*) : CVE-2015-2156, CVE-2016-4970,
> CVE-2019-16869
> flink-shaded-jackson-2.7.9-3.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9,
> cpe:2.3:a:fasterxml:jackson:2.7.9:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*) : CVE-2017-15095,
> CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, CVE-2018-11307,
> CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719,
> CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361,
> CVE-2018-19362, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086,
> CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> CVE-2019-17267, CVE-2019-17531
> flink-shaded-guava-18.0-2.0.jar/META-INF/maven/com.google.guava/guava/pom.xml
> (pkg:maven/com.google.guava/guava@18.0,
> cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-rocketmq:
>
> netty-all-4.0.42.Final.jar (pkg:maven/io.netty/netty-all@4.0.42.Final,
> cpe:2.3:a:netty:netty:4.0.42:*:*:*:*:*:*:*) : CVE-2019-16869
> netty-tcnative-boringssl-static-1.1.33.Fork26.jar
> (pkg:maven/io.netty/netty-tcnative-boringssl-static@1.1.33.Fork26,
> cpe:2.3:a:apache:tomcat:1.1.33:*:*:*:*:*:*:*,
> cpe:2.3:a:apache:tomcat_native:1.1.33:*:*:*:*:*:*:*,
> cpe:2.3:a:apache_software_foundation:tomcat:1.1.33:*:*:*:*:*:*:*,
> cpe:2.3:a:apache_tomcat:apache_tomcat:1.1.33:*:*:*:*:*:*:*) :
> CVE-2000-1210, CVE-2001-0590, CVE-2002-0493, CVE-2005-4838, CVE-2006-7196,
> CVE-2007-1358, CVE-2007-2449, CVE-2008-0128, CVE-2009-2696, CVE-2012-5568,
> CVE-2013-2185, CVE-2013-4286, CVE-2013-4322, CVE-2013-4444, CVE-2013-4590,
> CVE-2013-6357, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119,
> CVE-2016-5425, CVE-2017-15698, CVE-2018-8019, CVE-2018-8020
>
> Main offenders seem to be "jackson-databind" and old maintenance releases
> of Spring. I think we can bump most of that.
>
> Some integrations also clearly suffer, through it's a problem of their
> users, since they need to declare their own libraries' versions by
> convention.
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> пт, 27 дек. 2019 г. в 23:59, Denis Magda <dma...@apache.org>:
>
>> Ilya, no I see, thanks for the explanation. Agree with you, let's update
>> the versions of the dependencies to the latest.
>>
>> -
>> Denis
>>
>>
>> On Thu, Dec 26, 2019 at 10:50 PM Ilya Kasnacheev <
>> ilya.kasnach...@gmail.com>
>> wrote:
>>
>> > Hello!
>> >
>> > I have committed ignite-spring-data_2.2 to ignite-2.8.
>> >
>> > By bumping versisons I mean the following:
>> >         <slf4j.version>1.7.*7*</slf4j.version>
>> >         <slf4j16.version>1.6.*4*</slf4j16.version>
>> >         <snappy.version>1.1.7.*2*</snappy.version>
>> >         <spark.hadoop.version>2.6.*5*</spark.hadoop.version>
>> >         <spark.version>2.3.*0*</spark.version>
>> >         <spring.data.version>1.13.*14*.RELEASE</spring.data.version>
>> <!--
>> > don't forget to update spring version -->
>> >         <spring.version>4.3.*18*.RELEASE</spring.version><!-- don't
>> forget
>> > to update spring-data version -->
>> >
>>  <spring.data-2.0.version>2.0.*9*.RELEASE</spring.data-2.0.version>
>> > <!-- don't forget to update spring-5.0 version -->
>> >         <spring-5.0.version>5.0.*8*.RELEASE</spring-5.0.version><!--
>> don't
>> > forget to update spring-data-2.0 version -->
>> >
>> > All these libraries have maintenance release (such as our 2.7.*6*) and I
>> > think it would be beneficial to upgrade these dependencies to the latest
>> > maintenance version found in Maven Central.
>> > For example, there is spring.data-2.0 2.0.*14*.RELEASE.
>> >
>> > Regards,
>> > --
>> > Ilya Kasnacheev
>> >
>> >
>> > чт, 26 дек. 2019 г. в 19:32, Denis Magda <dma...@apache.org>:
>> >
>> > > A huge +1 for adding Spring Data related fixes/improvements. Ilya is
>> > right
>> > > that Spring Data related questions sparked last time due to missing
>> > support
>> > > of 2.2 version.
>> > >
>> > > Ilya, could you elaborate on what you mean under "bumping the
>> versions"?
>> > Do
>> > > you suggest performing a straightforward upgrade of
>> "ignite-spring-data"
>> > to
>> > > version 2.2 and introducing "ignite-spring-data-{old-version"} for the
>> > > previous versions? If it's so, I fully agree with the proposal.
>> > >
>> > > -
>> > > Denis
>> > >
>> > >
>> > > On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev <
>> > ilya.kasnach...@gmail.com
>> > > >
>> > > wrote:
>> > >
>> > > > Hello!
>> > > >
>> > > > I propose to add the following ticket to the scope:
>> > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be
>> > > careful
>> > > > with release version)
>> > > >
>> > > > Adding tickets to scope surely seems crazy now, but I will provide
>> the
>> > > > following considerations:
>> > > > * This is Spring Data 2.2 integration, which we currently do not
>> have,
>> > > > leading to lots of confused questions on stack overflow and mailing
>> > list.
>> > > > Spring Data is important to our public image since many people may
>> > learn
>> > > > about out project by starting with Spring Data.
>> > > >
>> > > > * It has zero code impact outside of its own module (just 2 POM file
>> > > > touched and that's all).
>> > > >
>> > > > * The core was ready since early November but, due to gmail quirk,
>> we
>> > did
>> > > > not react to it in time.
>> > > >
>> > > > WDYT?
>> > > >
>> > > > Another semi-related question. *Should we bump our dependencies'
>> > versions
>> > > > before releasing 2.8?* I talk mainly about spring and hibernate
>> > > > dependencies. We could switch them to their latest maintenance
>> versions
>> > > to
>> > > > avoid shipping default links to outdated packages.
>> > > >
>> > > > I think this is one of things that are very hard to do between
>> > releases,
>> > > so
>> > > > I think this dependencies bumping should be a part of a formal
>> > > > release/testing cycle, and then be backported to master.
>> > > >
>> > > > I could volunteer to do that myself, if we agree to merge these
>> version
>> > > > upgrades to ignite-2.8 and then re-test.
>> > > >
>> > > > Regards,
>> > > > --
>> > > > Ilya Kasnacheev
>> > > >
>> > > >
>> > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
>> > > <arzamas...@mail.ru.invalid
>> > > > >:
>> > > >
>> > > > >
>> > > > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
>> > > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
>> > > > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon X5570
>> 96Gb
>> > > > 512GB
>> > > > > SSD 2048GB HDD 10GB/s
>> > > > > 1 for  client (driver) and 3 for servers.
>> > > > > this mappings for graphs and real yardstick tests:
>> > > > >
>> > > > > atomic-put: IgnitePutBenchmark
>> > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
>> > > > > atomic-get: IgniteGetBenchmark
>> > > > > tx-get: IgniteGetTxBenchmark
>> > > > > tx-put: IgnitePutTxBenchmark
>> > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
>> > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
>> > > > >
>> > > > > cacheMode — partitioned
>> > > > > CacheWriteSynchronizationMode.FULL_SYNC
>> > > > > 1 backup
>> > > > >
>> > > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
>> > > > > Thanks Maxim for wiki page [1]
>> > > > >
>> > > > >
>> > > > > [1]
>> > > > >
>> > > >
>> > >
>> >
>> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
>> > > > >
>> > > > > do we need some bisect or other work here ?
>> > > > >
>> > > > > >
>> > > > > >
>> > > > > >------- Forwarded message -------
>> > > > > >From: "Maxim Muzafarov" < mmu...@apache.org >
>> > > > > >To:  dev@ignite.apache.org
>> > > > > >Cc:
>> > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
>> > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
>> > > > > >
>> > > > > >Igniters,
>> > > > > >
>> > > > > >
>> > > > > >It's almost a year has passed since the last major Apache Ignite
>> 2.7
>> > > > > >has been released. We've accumulated a lot of performance
>> > improvements
>> > > > > >and a lot of new features which are waiting for their release
>> date.
>> > > > > >Here is my list of the most interesting things from my point
>> since
>> > the
>> > > > > >last major release:
>> > > > > >
>> > > > > >Service Grid,
>> > > > > >Monitoring,
>> > > > > >Recovery Read
>> > > > > >BLT auto-adjust,
>> > > > > >PDS compression,
>> > > > > >WAL page compression,
>> > > > > >Thin client: best effort affinity,
>> > > > > >Thin client: transactions support (not yet)
>> > > > > >SQL query history
>> > > > > >SQL statistics
>> > > > > >
>> > > > > >I think we should no longer wait and freeze the master branch
>> > anymore
>> > > > > >and prepare the next major release by the end of the year.
>> > > > > >
>> > > > > >
>> > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8 release and
>> > also
>> > > > > >I want to propose myself to be the release manager of the
>> planning
>> > > > > >release.
>> > > > > >
>> > > > > >Scope Freeze: November 4, 2019
>> > > > > >Code Freeze: November 18, 2019
>> > > > > >Voting Date: December 10, 2019
>> > > > > >Release Date: December 17, 2019
>> > > > > >
>> > > > > >
>> > > > > >WDYT?
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
>

Reply via email to