[GitHub] flink pull request #5113: [FLINK-8156][build] Bump commons-beanutils version...

Sun, 03 Dec 2017 03:07:52 -0800 

GitHub user yew1eb opened a pull request:

    https://github.com/apache/flink/pull/5113

    [FLINK-8156][build] Bump commons-beanutils version to 1.9.3

    ## What is the purpose of the change
    Commons-beanutils v1.8.0 dependency is not security compliant. See 
[CVE-2014-0114](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114)
    
    > Apache Commons BeanUtils, as distributed in 
lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in 
other products requiring commons-beanutils through 1.9.2, does not suppress the 
class property, which allows remote attackers to "manipulate" the ClassLoader 
and execute arbitrary code via the class parameter, as demonstrated by the 
passing of this parameter to the getClass method of the ActionForm object in 
Struts 1.
    
    the version commons-beanutils 1.9.2 in turn has a CVE in its dependency 
commons-collections 
([CVE-2015-6420](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6420), 
see [BEANUTILS-488](https://issues.apache.org/jira/browse/BEANUTILS-488)), 
which is fixed in 1.9.3.
    
    We should upgrade commons-beanutils from 1.8.3 to 1.9.3.
    
    
    ## Does this pull request potentially affect one of the following parts:
    
      - Dependencies (does it add or upgrade a dependency): (**yes** / no)
      - The public API, i.e., is any changed class annotated with 
`@Public(Evolving)`: (yes / **no**)
      - The serializers: (yes / **no** / don't know)
      - The runtime per-record code paths (performance sensitive): (yes / 
**no** / don't know)
      - Anything that affects deployment or recovery: JobManager (and its 
components), Checkpointing, Yarn/Mesos, ZooKeeper: (yes / **no** / don't know)
      - The S3 file system connector: (yes / **no** / don't know)
    
    ## Documentation
    
      - Does this pull request introduce a new feature? (yes / **no**)
      - If yes, how is the feature documented? (not applicable / docs / 
JavaDocs / not documented)


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/yew1eb/flink FLINK-8156

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/flink/pull/5113.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #5113
    
----
commit 5c188bc440eed0d50654709a929633a73e35cb56
Author: yew1eb <yew...@gmail.com>
Date:   2017-12-03T10:49:22Z

    [FLINK-8156][build] Bump commons-beanutils version to 1.9.3

----


---

Reply via email to