[jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3

Sun, 03 Dec 2017 03:12:21 -0800 

    [ 
https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16275883#comment-16275883
 ] 

ASF GitHub Bot commented on FLINK-8156:
---------------------------------------

Github user yew1eb commented on a diff in the pull request:

    https://github.com/apache/flink/pull/5113#discussion_r154520820
  
    --- Diff: pom.xml ---
    @@ -367,11 +367,10 @@ under the License.
                                <version>3.2.2</version>
                        </dependency>
     
    -                   <!-- common-beanutils-bean-collections is used by 
flink-shaded-hadoop2 -->
                        <dependency>
                                <groupId>commons-beanutils</groupId>
    -                           
<artifactId>commons-beanutils-bean-collections</artifactId>
    -                           <version>1.8.3</version>
    +                           <artifactId>commons-beanutils</artifactId>
    +                           <version>1.9.3</version>
    --- End diff --
    
    The 1.8.x releases of BeanUtils have distributed three jars:
    - commons-beanutils.jar - contains everything
    - commons-beanutils-core.jar - excludes Bean Collections classes
    - commons-beanutils-bean-collections.jar - only Bean Collections classes
    
    Version 1.9.0 reverts this split for reasons outlined at 
[BEANUTILS-379](http://issues.apache.org/jira/browse/BEANUTILS-379). There is 
now only one jar for the BeanUtils library.



> Bump commons-beanutils version to 1.9.3
> ---------------------------------------
>
>                 Key: FLINK-8156
>                 URL: https://issues.apache.org/jira/browse/FLINK-8156
>             Project: Flink
>          Issue Type: Bug
>          Components: Build System
>    Affects Versions: 1.4.0
>            Reporter: Hai Zhou UTC+8
>            Assignee: Hai Zhou UTC+8
>             Fix For: 1.5.0
>
>
> Commons-beanutils v1.8.0 dependency is not security compliant. See 
> [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]:
> {code:java}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar 
> in Apache Struts 1.x through 1.3.10 and in other products requiring 
> commons-beanutils through 1.9.2, does not suppress the class property, which 
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary 
> code via the class parameter, as demonstrated by the passing of this 
> parameter to the getClass method of the ActionForm object in Struts 1.
> {code}
> Note that current version commons-beanutils 1.9.2 in turn has a CVE in its 
> dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is 
> fixed in 1.9.3.
> We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to