[jira] [Updated] (HADOOP-16542) Update commons-beanutils version to 1.9.4
[ https://issues.apache.org/jira/browse/HADOOP-16542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jonathan Hung updated HADOOP-16542: --- Fix Version/s: 3.2.2 3.1.4 > Update commons-beanutils version to 1.9.4 > - > > Key: HADOOP-16542 > URL: https://issues.apache.org/jira/browse/HADOOP-16542 > Project: Hadoop Common > Issue Type: Task >Affects Versions: 3.3.0 >Reporter: Wei-Chiu Chuang >Assignee: kevin su >Priority: Major > Labels: release-blocker > Fix For: 3.3.0, 3.1.4, 3.2.2 > > Attachments: HADOOP-16542.001.patch, HADOOP-16542.002.patch, > HADOOP-16542.003.patch > > > [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e] > {quote} > CVE-2019-10086. Apache Commons Beanutils does not suppresses the class > property in PropertyUtilsBean > by default. > Severity: Medium > Vendor: The Apache Software Foundation > Versions Affected: commons-beanutils-1.9.3 and earlier > Description: A special BeanIntrospector class was added in version 1.9.2. > This can be used to stop attackers from using the class property of > Java objects to get access to the classloader. > However this protection was not enabled by default. > PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class > level property access by default, thus protecting against > CVE-2014-0114. > Mitigation: 1.X users should migrate to 1.9.4. > {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-16542) Update commons-beanutils version to 1.9.4
[ https://issues.apache.org/jira/browse/HADOOP-16542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wei-Chiu Chuang updated HADOOP-16542: - Resolution: Fixed Status: Resolved (was: Patch Available) Pushed to trunk. I studied dependency tree, Hadoop branch-2 does not depend on commons-beanutils directly (there is an indirect dependency though) and the version pulled in is quite different. {noformat} [INFO] +- commons-configuration:commons-configuration:jar:1.6:compile [INFO] | +- commons-digester:commons-digester:jar:1.8:compile [INFO] | | \- commons-beanutils:commons-beanutils:jar:1.7.0:compile [INFO] | \- commons-beanutils:commons-beanutils-core:jar:1.8.0:compile {noformat} Therefore, it may not be a trivial change for branch-2, and therefore I'd suggest to limit this commit to Hadoop 3.x > Update commons-beanutils version to 1.9.4 > - > > Key: HADOOP-16542 > URL: https://issues.apache.org/jira/browse/HADOOP-16542 > Project: Hadoop Common > Issue Type: Task >Affects Versions: 3.3.0 >Reporter: Wei-Chiu Chuang >Assignee: kevin su >Priority: Major > Labels: release-blocker > Fix For: 3.3.0 > > Attachments: HADOOP-16542.001.patch, HADOOP-16542.002.patch, > HADOOP-16542.003.patch > > > [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e] > {quote} > CVE-2019-10086. Apache Commons Beanutils does not suppresses the class > property in PropertyUtilsBean > by default. > Severity: Medium > Vendor: The Apache Software Foundation > Versions Affected: commons-beanutils-1.9.3 and earlier > Description: A special BeanIntrospector class was added in version 1.9.2. > This can be used to stop attackers from using the class property of > Java objects to get access to the classloader. > However this protection was not enabled by default. > PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class > level property access by default, thus protecting against > CVE-2014-0114. > Mitigation: 1.X users should migrate to 1.9.4. > {quote} -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-16542) Update commons-beanutils version to 1.9.4
[ https://issues.apache.org/jira/browse/HADOOP-16542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wei-Chiu Chuang updated HADOOP-16542: - Affects Version/s: (was: 2.10.0) > Update commons-beanutils version to 1.9.4 > - > > Key: HADOOP-16542 > URL: https://issues.apache.org/jira/browse/HADOOP-16542 > Project: Hadoop Common > Issue Type: Task >Affects Versions: 3.3.0 >Reporter: Wei-Chiu Chuang >Assignee: kevin su >Priority: Major > Labels: release-blocker > Fix For: 3.3.0 > > Attachments: HADOOP-16542.001.patch, HADOOP-16542.002.patch, > HADOOP-16542.003.patch > > > [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e] > {quote} > CVE-2019-10086. Apache Commons Beanutils does not suppresses the class > property in PropertyUtilsBean > by default. > Severity: Medium > Vendor: The Apache Software Foundation > Versions Affected: commons-beanutils-1.9.3 and earlier > Description: A special BeanIntrospector class was added in version 1.9.2. > This can be used to stop attackers from using the class property of > Java objects to get access to the classloader. > However this protection was not enabled by default. > PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class > level property access by default, thus protecting against > CVE-2014-0114. > Mitigation: 1.X users should migrate to 1.9.4. > {quote} -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-16542) Update commons-beanutils version to 1.9.4
[ https://issues.apache.org/jira/browse/HADOOP-16542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wei-Chiu Chuang updated HADOOP-16542: - Fix Version/s: 3.3.0 > Update commons-beanutils version to 1.9.4 > - > > Key: HADOOP-16542 > URL: https://issues.apache.org/jira/browse/HADOOP-16542 > Project: Hadoop Common > Issue Type: Task >Affects Versions: 2.10.0, 3.3.0 >Reporter: Wei-Chiu Chuang >Assignee: kevin su >Priority: Major > Labels: release-blocker > Fix For: 3.3.0 > > Attachments: HADOOP-16542.001.patch, HADOOP-16542.002.patch, > HADOOP-16542.003.patch > > > [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e] > {quote} > CVE-2019-10086. Apache Commons Beanutils does not suppresses the class > property in PropertyUtilsBean > by default. > Severity: Medium > Vendor: The Apache Software Foundation > Versions Affected: commons-beanutils-1.9.3 and earlier > Description: A special BeanIntrospector class was added in version 1.9.2. > This can be used to stop attackers from using the class property of > Java objects to get access to the classloader. > However this protection was not enabled by default. > PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class > level property access by default, thus protecting against > CVE-2014-0114. > Mitigation: 1.X users should migrate to 1.9.4. > {quote} -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-16542) Update commons-beanutils version to 1.9.4
[ https://issues.apache.org/jira/browse/HADOOP-16542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wei-Chiu Chuang updated HADOOP-16542: - Summary: Update commons-beanutils version to 1.9.4 (was: Update commons-beanutils version) > Update commons-beanutils version to 1.9.4 > - > > Key: HADOOP-16542 > URL: https://issues.apache.org/jira/browse/HADOOP-16542 > Project: Hadoop Common > Issue Type: Task >Affects Versions: 2.10.0, 3.3.0 >Reporter: Wei-Chiu Chuang >Assignee: kevin su >Priority: Major > Labels: release-blocker > Attachments: HADOOP-16542.001.patch, HADOOP-16542.002.patch, > HADOOP-16542.003.patch > > > [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e] > {quote} > CVE-2019-10086. Apache Commons Beanutils does not suppresses the class > property in PropertyUtilsBean > by default. > Severity: Medium > Vendor: The Apache Software Foundation > Versions Affected: commons-beanutils-1.9.3 and earlier > Description: A special BeanIntrospector class was added in version 1.9.2. > This can be used to stop attackers from using the class property of > Java objects to get access to the classloader. > However this protection was not enabled by default. > PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class > level property access by default, thus protecting against > CVE-2014-0114. > Mitigation: 1.X users should migrate to 1.9.4. > {quote} -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org