Change in asterixdb[neo]: [NO ISSUE][MISC] override org.codehaus.jettison:jettison to avoid CVEs

Wed, 04 Oct 2023 16:28:11 -0700 

>From Michael Blow <[email protected]>:

Michael Blow has uploaded this change for review. ( 
https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17842 )


Change subject: [NO ISSUE][MISC] override org.codehaus.jettison:jettison to 
avoid CVEs
......................................................................

[NO ISSUE][MISC] override org.codehaus.jettison:jettison to avoid CVEs

Change-Id: Ida41aaddb65405516c3baeea9de4bbf21a0f0e41
---
M asterixdb/asterix-external-data/pom.xml
M asterixdb/pom.xml
2 files changed, 23 insertions(+), 0 deletions(-)



  git pull ssh://asterix-gerrit.ics.uci.edu:29418/asterixdb 
refs/changes/42/17842/1

diff --git a/asterixdb/asterix-external-data/pom.xml 
b/asterixdb/asterix-external-data/pom.xml
index de14287..fbb1751 100644
--- a/asterixdb/asterix-external-data/pom.xml
+++ b/asterixdb/asterix-external-data/pom.xml
@@ -546,6 +546,11 @@
       <groupId>net.minidev</groupId>
       <artifactId>json-smart</artifactId>
     </dependency>
+    <!-- Manually overridden to avoid CVE-2023-1436, CVE-2022-45693, 
CVE-2022-45685, CVE-2022-40150, CVE-2022-40149 -->
+    <dependency>
+      <groupId>org.codehaus.jettison</groupId>
+      <artifactId>jettison</artifactId>
+    </dependency>
   </dependencies>
   <!-- apply patch for HADOOP-17225 to workaround CVE-2019-10172 -->
   <repositories>
diff --git a/asterixdb/pom.xml b/asterixdb/pom.xml
index b2d8831..dee21dc 100644
--- a/asterixdb/pom.xml
+++ b/asterixdb/pom.xml
@@ -1017,6 +1017,10 @@
         <version>${hadoop.version}</version>
         <exclusions>
           <exclusion>
+            <groupId>org.codehaus.jettison</groupId>
+            <artifactId>jettison</artifactId>
+          </exclusion>
+          <exclusion>
             <groupId>net.minidev</groupId>
             <artifactId>json-smart</artifactId>
           </exclusion>
@@ -1959,6 +1963,11 @@
         <version>${hadoop.version}</version>
       </dependency>
       <!-- Hadoop Azure end -->
+      <dependency>
+        <groupId>org.codehaus.jettison</groupId>
+        <artifactId>jettison</artifactId>
+        <version>1.5.4</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>


--
To view, visit https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17842
To unsubscribe, or for help writing mail filters, visit 
https://asterix-gerrit.ics.uci.edu/settings

Gerrit-Project: asterixdb
Gerrit-Branch: neo
Gerrit-Change-Id: Ida41aaddb65405516c3baeea9de4bbf21a0f0e41
Gerrit-Change-Number: 17842
Gerrit-PatchSet: 1
Gerrit-Owner: Michael Blow <[email protected]>
Gerrit-MessageType: newchange

Reply via email to