[jira] [Commented] (FLUME-3115) Upgrade netty library dependency
[ https://issues.apache.org/jira/browse/FLUME-3115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16075293#comment-16075293 ] Mike Percy commented on FLUME-3115: --- The CVE says versions of Netty prior to 3.9.2 are vulnerable to a DoS attack when using SslHandler. Curator is pulling in the old netty version. The version that Flume depends on (looking at trunk) is 3.9.4 but it's possible that since both are on the classpath either one may actually be being used. Really, Curator and Flume should both probably be shading Netty. Flume may be vulnerable to this DoS today because it uses SslHandler in a couple of places: {code} $ ag -l SslHandler flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java flume-ng-core/src/test/java/org/apache/flume/source/TestAvroSource.java flume-ng-core/src/test/java/org/apache/flume/sink/TestAvroSink.java flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java {code} > Upgrade netty library dependency > > > Key: FLUME-3115 > URL: https://issues.apache.org/jira/browse/FLUME-3115 > Project: Flume > Issue Type: Bug >Affects Versions: 1.7.0 >Reporter: Attila Simon >Priority: Critical > Labels: dependency > Fix For: 1.8.0 > > > ||Group||Artifact||Version used||Upgrade target|| > |io.netty|netty|3.2.2.Final, 3.9.4.Final|4.1.12.Final| > Note: This artifact was moved to: > - New Group io.netty > - New Artifactnetty-all > Security vulnerability: http://www.cvedetails.com/cve/CVE-2014-3488/ > Please do: > - double check the newest version. > - consider to remove a dependency if better alternative is available. > - check whether the lib change would introduce a backward incompatibility (in > which case please add this label `breaking_change` and fix version should be > the next major) -- This message was sent by Atlassian JIRA (v6.4.14#64029)
Re: Update 3rd party dependencies
Hi Attila, Thanks for sending this. I have a few thoughts / questions on this: 1) You didn't include the analysis of A,G,S, etc. for the listed dependencies in your email. 2) If there are security vulnerabilities reported that could affect Flume then we should upgrade those dependencies where possible. However, in my experience newer does not always mean better (a newer library may introduce new bugs in exchange for new features we do not use) so I am not sure I agree with the basic premise that we should avoid being on older versions of libraries. 3) From a quick look at mvn dependency:tree the majority of those libs are pulled in transitively by other projects. How do you propose dealing with that? I ran a quick script based on mvn dependency:tree and your list above and marked the libraries you mentioned with an arrow (<---) to illustrate where they come from (see below). Hope this is useful. Thanks, Mike [INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ flume-checkstyle --- [INFO] org.apache.flume:flume-checkstyle:jar:1.8.0-SNAPSHOT [INFO] [INFO] [INFO] Building Apache Flume 1.8.0-SNAPSHOT [INFO] [INFO] [INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ flume-parent --- [INFO] org.apache.flume:flume-parent:pom:1.8.0-SNAPSHOT [INFO] [INFO] [INFO] Building Flume NG SDK 1.8.0-SNAPSHOT [INFO] [INFO] [INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ flume-ng-sdk --- [INFO] org.apache.flume:flume-ng-sdk:jar:1.8.0-SNAPSHOT [INFO] +- junit:junit:jar:4.10:test [INFO] | \- org.hamcrest:hamcrest-core:jar:1.1:test [INFO] +- org.slf4j:slf4j-api:jar:1.6.1:compile [INFO] +- org.slf4j:slf4j-log4j12:jar:1.6.1:compile [INFO] | \- log4j:log4j:jar:1.2.17:compile [INFO] +- org.apache.avro:avro:jar:1.7.4:compile [INFO] | +- org.codehaus.jackson:jackson-core-asl:jar:1.9.3:compile <--- [INFO] | +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.3:compile [INFO] | +- com.thoughtworks.paranamer:paranamer:jar:2.3:compile [INFO] | +- org.xerial.snappy:snappy-java:jar:1.1.0:compile [INFO] | \- org.apache.commons:commons-compress:jar:1.4.1:compile [INFO] | \- org.tukaani:xz:jar:1.0:compile [INFO] +- org.apache.avro:avro-ipc:jar:1.7.4:compile [INFO] | +- org.mortbay.jetty:jetty:jar:6.1.26:compile <--- [INFO] | +- org.mortbay.jetty:jetty-util:jar:6.1.26:compile <--- [INFO] | \- org.apache.velocity:velocity:jar:1.7:compile [INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile [INFO] +- io.netty:netty:jar:3.9.4.Final:compile <--- [INFO] \- org.apache.thrift:libthrift:jar:0.9.0:compile [INFO]+- commons-lang:commons-lang:jar:2.5:compile [INFO]+- org.apache.httpcomponents:httpclient:jar:4.2.1:compile <--- [INFO]| +- commons-logging:commons-logging:jar:1.1.1:compile [INFO]| \- commons-codec:commons-codec:jar:1.8:compile [INFO]\- org.apache.httpcomponents:httpcore:jar:4.1.3:compile [INFO] [INFO] [INFO] Building Flume NG Configuration 1.8.0-SNAPSHOT [INFO] [INFO] [INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ flume-ng-configuration --- [INFO] org.apache.flume:flume-ng-configuration:jar:1.8.0-SNAPSHOT [INFO] +- org.slf4j:slf4j-api:jar:1.6.1:compile [INFO] +- junit:junit:jar:4.10:test [INFO] | \- org.hamcrest:hamcrest-core:jar:1.1:test [INFO] +- org.slf4j:slf4j-log4j12:jar:1.6.1:compile [INFO] | \- log4j:log4j:jar:1.2.17:compile [INFO] +- com.google.guava:guava:jar:11.0.2:compile [INFO] | \- com.google.code.findbugs:jsr305:jar:1.3.9:compile [INFO] \- org.apache.flume:flume-ng-sdk:jar:1.8.0-SNAPSHOT:compile [INFO]+- org.apache.avro:avro:jar:1.7.4:compile [INFO]| +- org.codehaus.jackson:jackson-core-asl:jar:1.9.3:compile <--- [INFO]| +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.3:compile [INFO]| +- com.thoughtworks.paranamer:paranamer:jar:2.3:compile [INFO]| +- org.xerial.snappy:snappy-java:jar:1.1.0:compile [INFO]| \- org.apache.commons:commons-compress:jar:1.4.1:compile [INFO]| \- org.tukaani:xz:jar:1.0:compile [INFO]+- org.apache.avro:avro-ipc:jar:1.7.4:compile [INFO]| +- org.mortbay.jetty:jetty:jar:6.1.26:compile <--- [INFO]| +- org.mortbay.jetty:jetty-util:jar:6.1.26:compile <--- [INFO]| \- org.apache.velocity:velocity:jar:1.7:compile [INFO]| \- commons-collections:commons-collections:jar:3.2.2:compile [INFO]+- io.netty:netty:jar:3.9.4.Final:compile <--- [INFO]\- org.apache.thrift:libthrift:jar:0.9.0:compile [INFO] +- commons-lang:commons-lang:jar:2.5:compile [INFO] +- org.apache.httpcomponents:ht
[jira] [Commented] (FLUME-2957) Remove Guava from our public API
[ https://issues.apache.org/jira/browse/FLUME-2957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16075107#comment-16075107 ] Mike Percy commented on FLUME-2957: --- I agree that we should simply expose a Map instead of the Guava ImmutableMap implementation as part of this public API. > Remove Guava from our public API > > > Key: FLUME-2957 > URL: https://issues.apache.org/jira/browse/FLUME-2957 > Project: Flume > Issue Type: Task >Affects Versions: 1.8.0 >Reporter: Lior Zeno > Fix For: 2.0.0 > > > Context.getParameters (flume-ng-configuration module) returns > com.google.common.collect.ImmutableMap (Guava). We should clean our API and > return either a native java interface or Flume's. > In addition to the current state being a bad practice, this also means that > we are unable to shade Guava in Flume. > Note: Since this breaks our public API, I'll reschedule this issue to 2.0 > once we have this version managed in jira. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (FLUME-3115) Upgrade netty library dependency
Attila Simon created FLUME-3115: --- Summary: Upgrade netty library dependency Key: FLUME-3115 URL: https://issues.apache.org/jira/browse/FLUME-3115 Project: Flume Issue Type: Bug Affects Versions: 1.7.0 Reporter: Attila Simon Priority: Critical Fix For: 1.8.0 ||Group||Artifact||Version used||Upgrade target|| |io.netty|netty|3.2.2.Final, 3.9.4.Final|4.1.12.Final| Note: This artifact was moved to: - New Group io.netty - New Artifact netty-all Security vulnerability: http://www.cvedetails.com/cve/CVE-2014-3488/ Please do: - double check the newest version. - consider to remove a dependency if better alternative is available. - check whether the lib change would introduce a backward incompatibility (in which case please add this label `breaking_change` and fix version should be the next major) -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Resolved] (FLUME-1732) Build is failing due to netty problems
[ https://issues.apache.org/jira/browse/FLUME-1732?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Attila Simon resolved FLUME-1732. - Resolution: Fixed > Build is failing due to netty problems > -- > > Key: FLUME-1732 > URL: https://issues.apache.org/jira/browse/FLUME-1732 > Project: Flume > Issue Type: Bug >Affects Versions: 1.4.0 >Reporter: Brock Noland >Assignee: Mike Percy > Attachments: FLUME-1732-3.patch, FLUME-1732.patch > > > FLUME-1723 changed how we bring in netty and that seems to have broken the > build https://builds.apache.org/job/flume-trunk/330/#showFailuresLink -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (FLUME-1732) Build is failing due to netty problems
[ https://issues.apache.org/jira/browse/FLUME-1732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16075044#comment-16075044 ] Attila Simon commented on FLUME-1732: - Interestingly it seems like it has been committed: {noformat} trunk(964bcf56)$ git log --oneline --grep FLUME-1732 750809c7 FLUME-1732: SpoolableDirectorySource should have configurable support for deleting files it has already completed instead of renaming {noformat} Unfortunately this is just a mistake in commit message. That change belongs to FLUME-1731 instead. I followed [~mpercy]'s steps from above but no failure for me. I conclude everything went back to normal since this ticket was opened. So marking this ticket as resolved. {noformat} trunk(964bcf56)$ mvn -version Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5; 2015-11-10T17:41:47+01:00) Maven home: /usr/local/Cellar/maven/3.3.9/libexec Java version: 1.8.0_101, vendor: Oracle Corporation Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "10.12.5", arch: "x86_64", family: "mac" {noformat} > Build is failing due to netty problems > -- > > Key: FLUME-1732 > URL: https://issues.apache.org/jira/browse/FLUME-1732 > Project: Flume > Issue Type: Bug >Affects Versions: 1.4.0 >Reporter: Brock Noland >Assignee: Mike Percy > Attachments: FLUME-1732-3.patch, FLUME-1732.patch > > > FLUME-1723 changed how we bring in netty and that seems to have broken the > build https://builds.apache.org/job/flume-trunk/330/#showFailuresLink -- This message was sent by Atlassian JIRA (v6.4.14#64029)
Re: [jira] [Updated] (FLUME-3113) Upgrade commons-beanutils library dependency
unsubscribe From: Attila Simon (JIRA) Sent: Wednesday, July 5, 2017 8:39:00 AM To: dev@flume.apache.org Subject: [jira] [Updated] (FLUME-3113) Upgrade commons-beanutils library dependency [ https://issues.apache.org/jira/browse/FLUME-3113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Attila Simon updated FLUME-3113: Description: ||Group||Artifact||Version used||Upgrade target|| |commons-beanutils|commons-beanutils|1.7.0|1.9.3| |commons-beanutils|commons-beanutils-core|1.8.0|1.8.3| Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/ Please do: - double check the newest version. - consider to remove a dependency if better alternative is available. - check whether the lib change would introduce a backward incompatibility (in which case please add this label `breaking_change` and fix version should be the next major) was: ||Group||Artifact||Version used||Upgrade target|| |commons-beanutils|commons-beanutils|1.7.0|1.9.3| Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/ Please do: - double check the newest version. - consider to remove a dependency if better alternative is available. - check whether the lib change would introduce a backward incompatibility (in which case please add this label `breaking_change` and fix version should be the next major) > Upgrade commons-beanutils library dependency > > > Key: FLUME-3113 > URL: https://issues.apache.org/jira/browse/FLUME-3113 > Project: Flume > Issue Type: Bug >Affects Versions: 1.7.0 >Reporter: Attila Simon >Priority: Critical > Labels: dependency > Fix For: 1.8.0 > > > ||Group||Artifact||Version used||Upgrade target|| > |commons-beanutils|commons-beanutils|1.7.0|1.9.3| > |commons-beanutils|commons-beanutils-core|1.8.0|1.8.3| > Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/ > Please do: > - double check the newest version. > - consider to remove a dependency if better alternative is available. > - check whether the lib change would introduce a backward incompatibility (in > which case please add this label `breaking_change` and fix version should be > the next major) -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (FLUME-2501) Updating HttpClient lib version to ensure compat with Solr
[ https://issues.apache.org/jira/browse/FLUME-2501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Attila Simon updated FLUME-2501: Labels: dependency (was: ) > Updating HttpClient lib version to ensure compat with Solr > -- > > Key: FLUME-2501 > URL: https://issues.apache.org/jira/browse/FLUME-2501 > Project: Flume > Issue Type: Bug > Components: Sinks+Sources >Affects Versions: 1.5.0.1 >Reporter: Roshan Naik >Assignee: Roshan Naik > Labels: dependency > Attachments: FLUME-2501.patch, FLUME-2501.v2.patch > > > Mismatch in httpclient and http core libs pulled by flume v/s the ones that > come with Solr causes errors at runtime > {code} > 2014-10-13 19:52:32,042 (lifecycleSupervisor-1-1) [DEBUG - > org.apache.solr.client.solrj.impl.HttpClientUtil.createClient(HttpClientUtil.java:106)] > Creating new http client, > config:maxConnections=128&maxConnectionsPerHost=32&followRedirects=false > 2014-10-13 19:52:32,225 (lifecycleSupervisor-1-1) [ERROR - > org.apache.flume.lifecycle.LifecycleSupervisor$MonitorRunnable.run(LifecycleSupervisor.java:253)] > Unable to start SinkRunner: { > policy:org.apache.flume.sink.DefaultSinkProcessor@4752b854 counterGroup:{ > name:null counters:{} } } - Exception follows. > java.lang.NoSuchFieldError: DEF_CONTENT_CHARSET > at > org.apache.http.impl.client.DefaultHttpClient.setDefaultHttpParams(DefaultHttpClient.java:175) > at > org.apache.http.impl.client.DefaultHttpClient.createHttpParams(DefaultHttpClient.java:158) > at > org.apache.http.impl.client.AbstractHttpClient.getParams(AbstractHttpClient.java:448) > at > org.apache.solr.client.solrj.impl.HttpClientUtil.setFollowRedirects(HttpClientUtil.java:251) > at > org.apache.solr.client.solrj.impl.HttpClientConfigurer.configure(HttpClientConfigurer.java:58) > at > org.apache.solr.client.solrj.impl.HttpClientUtil.configureClient(HttpClientUtil.java:133) > at > org.apache.solr.client.solrj.impl.HttpClientUtil.createClient(HttpClientUtil.java:109) > at > org.apache.solr.client.solrj.impl.HttpSolrServer.(HttpSolrServer.java:161) > at > org.apache.solr.client.solrj.impl.HttpSolrServer.(HttpSolrServer.java:138) > at > org.apache.solr.client.solrj.impl.ConcurrentUpdateSolrServer.(ConcurrentUpdateSolrServer.java:122) > at > org.apache.solr.client.solrj.impl.ConcurrentUpdateSolrServer.(ConcurrentUpdateSolrServer.java:114) > at > org.apache.solr.client.solrj.impl.ConcurrentUpdateSolrServer.(ConcurrentUpdateSolrServer.java:104) > at > org.kitesdk.morphline.solr.SafeConcurrentUpdateSolrServer.(SafeConcurrentUpdateSolrServer.java:39) > at > org.kitesdk.morphline.solr.SafeConcurrentUpdateSolrServer.(SafeConcurrentUpdateSolrServer.java:35) > at > org.kitesdk.morphline.solr.SolrLocator.getLoader(SolrLocator.java:116) > at > org.kitesdk.morphline.solr.LoadSolrBuilder$LoadSolr.(LoadSolrBuilder.java:70) > at > org.kitesdk.morphline.solr.LoadSolrBuilder.build(LoadSolrBuilder.java:52) > at > org.kitesdk.morphline.base.AbstractCommand.buildCommand(AbstractCommand.java:303) > at > org.kitesdk.morphline.base.AbstractCommand.buildCommandChain(AbstractCommand.java:250) > at org.kitesdk.morphline.stdlib.Pipe.(Pipe.java:46) > at org.kitesdk.morphline.stdlib.PipeBuilder.build(PipeBuilder.java:40) > at org.kitesdk.morphline.base.Compiler.compile(Compiler.java:126) > at org.kitesdk.morphline.base.Compiler.compile(Compiler.java:55) > at > org.apache.flume.sink.solr.morphline.MorphlineHandlerImpl.configure(MorphlineHandlerImpl.java:101) > at > org.apache.flume.sink.solr.morphline.MorphlineSink.start(MorphlineSink.java:97) > at > org.apache.flume.sink.DefaultSinkProcessor.start(DefaultSinkProcessor.java:46) > at org.apache.flume.SinkRunner.start(SinkRunner.java:79) > at > org.apache.flume.lifecycle.LifecycleSupervisor$MonitorRunnable.run(LifecycleSupervisor.java:251) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (FLUME-3114) Upgrade commons-httpclient library dependency
[ https://issues.apache.org/jira/browse/FLUME-3114?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16074995#comment-16074995 ] Attila Simon commented on FLUME-3114: - We have a very similar jira where patch is ready to upgrade to an older than the currently proposed version. The proposed version there doesn't seem to have any CVE yet. > Upgrade commons-httpclient library dependency > - > > Key: FLUME-3114 > URL: https://issues.apache.org/jira/browse/FLUME-3114 > Project: Flume > Issue Type: Bug >Affects Versions: 1.7.0 >Reporter: Attila Simon >Priority: Critical > Labels: dependency > Fix For: 1.8.0 > > > ||Group||Artifact||Version used||Upgrade target|| > |commons-httpclient|commons-httpclient|3.1,3.0.1|4.5.2| > Note: This artifact was moved to: > * New Group org.apache.httpcomponents > * New Artifacthttpclient > Security vulnerability: https://www.cvedetails.com/cve/CVE-2012-5783/ > Please do: > - double check the newest version. > - consider to remove a dependency if better alternative is available. > - check whether the lib change would introduce a backward incompatibility (in > which case please add this label `breaking_change` and fix version should be > the next major) -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (FLUME-3114) Upgrade commons-httpclient library dependency
Attila Simon created FLUME-3114: --- Summary: Upgrade commons-httpclient library dependency Key: FLUME-3114 URL: https://issues.apache.org/jira/browse/FLUME-3114 Project: Flume Issue Type: Bug Affects Versions: 1.7.0 Reporter: Attila Simon Priority: Critical Fix For: 1.8.0 ||Group||Artifact||Version used||Upgrade target|| |commons-httpclient|commons-httpclient|3.1,3.0.1|4.5.2| Note: This artifact was moved to: * New Group org.apache.httpcomponents * New Artifact httpclient Security vulnerability: https://www.cvedetails.com/cve/CVE-2012-5783/ Please do: - double check the newest version. - consider to remove a dependency if better alternative is available. - check whether the lib change would introduce a backward incompatibility (in which case please add this label `breaking_change` and fix version should be the next major) -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (FLUME-3113) Upgrade commons-beanutils library dependency
[ https://issues.apache.org/jira/browse/FLUME-3113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Attila Simon updated FLUME-3113: Description: ||Group||Artifact||Version used||Upgrade target|| |commons-beanutils|commons-beanutils|1.7.0|1.9.3| |commons-beanutils|commons-beanutils-core|1.8.0|1.8.3| Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/ Please do: - double check the newest version. - consider to remove a dependency if better alternative is available. - check whether the lib change would introduce a backward incompatibility (in which case please add this label `breaking_change` and fix version should be the next major) was: ||Group||Artifact||Version used||Upgrade target|| |commons-beanutils|commons-beanutils|1.7.0|1.9.3| Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/ Please do: - double check the newest version. - consider to remove a dependency if better alternative is available. - check whether the lib change would introduce a backward incompatibility (in which case please add this label `breaking_change` and fix version should be the next major) > Upgrade commons-beanutils library dependency > > > Key: FLUME-3113 > URL: https://issues.apache.org/jira/browse/FLUME-3113 > Project: Flume > Issue Type: Bug >Affects Versions: 1.7.0 >Reporter: Attila Simon >Priority: Critical > Labels: dependency > Fix For: 1.8.0 > > > ||Group||Artifact||Version used||Upgrade target|| > |commons-beanutils|commons-beanutils|1.7.0|1.9.3| > |commons-beanutils|commons-beanutils-core|1.8.0|1.8.3| > Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/ > Please do: > - double check the newest version. > - consider to remove a dependency if better alternative is available. > - check whether the lib change would introduce a backward incompatibility (in > which case please add this label `breaking_change` and fix version should be > the next major) -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (FLUME-3112) Upgrade jackson-core library dependency
[ https://issues.apache.org/jira/browse/FLUME-3112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16074953#comment-16074953 ] Attila Simon commented on FLUME-3112: - Excerpted transitive dependency tree from `mvn dependency:tree` {noformat} org.apache.flume.flume-ng-sinks:flume-dataset-sink:jar:1.8.0-SNAPSHOT org.kitesdk:kite-data-core:jar:1.0.0:compile com.fasterxml.jackson.core:jackson-databind:jar:2.3.1:compile com.fasterxml.jackson.core:jackson-annotations:jar:2.3.0:compile com.fasterxml.jackson.core:jackson-core:jar:2.3.1:compile {noformat} {noformat} org.apache.flume.flume-ng-sinks:flume-ng-morphline-solr-sink:jar:1.8.0-SNAPSHOT org.kitesdk:kite-morphlines-all:pom:1.0.0:compile org.kitesdk:kite-morphlines-json:jar:1.0.0:compile com.fasterxml.jackson.core:jackson-databind:jar:2.3.1:compile com.fasterxml.jackson.core:jackson-annotations:jar:2.3.0:compile com.fasterxml.jackson.core:jackson-core:jar:2.3.1:compile {noformat} > Upgrade jackson-core library dependency > --- > > Key: FLUME-3112 > URL: https://issues.apache.org/jira/browse/FLUME-3112 > Project: Flume > Issue Type: Bug >Affects Versions: 1.7.0 >Reporter: Attila Simon >Priority: Critical > Labels: dependency > Fix For: 1.8.0 > > > ||Group||Artifact||Version used||Upgrade target|| > |com.fasterxml.jackson.core|jackson-core|2.3.1|2.8.9| > Security vulnerability: http://www.cvedetails.com/cve/CVE-2016-7051/ > Please do: > - double check the newest version. > - consider to remove a dependency if better alternative is available. > - check whether the lib change would introduce a backward incompatibility (in > which case please add this label `breaking_change` and fix version should be > the next major) -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (FLUME-3113) Upgrade commons-beanutils library dependency
Attila Simon created FLUME-3113: --- Summary: Upgrade commons-beanutils library dependency Key: FLUME-3113 URL: https://issues.apache.org/jira/browse/FLUME-3113 Project: Flume Issue Type: Bug Affects Versions: 1.7.0 Reporter: Attila Simon Priority: Critical Fix For: 1.8.0 ||Group||Artifact||Version used||Upgrade target|| |commons-beanutils|commons-beanutils|1.7.0|1.9.3| Security vulnerability: https://www.cvedetails.com/cve/CVE-2014-0114/ Please do: - double check the newest version. - consider to remove a dependency if better alternative is available. - check whether the lib change would introduce a backward incompatibility (in which case please add this label `breaking_change` and fix version should be the next major) -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (FLUME-3112) Upgrade jackson-core library dependency
Attila Simon created FLUME-3112: --- Summary: Upgrade jackson-core library dependency Key: FLUME-3112 URL: https://issues.apache.org/jira/browse/FLUME-3112 Project: Flume Issue Type: Bug Affects Versions: 1.7.0 Reporter: Attila Simon Priority: Critical Fix For: 1.8.0 ||Group||Artifact||Version used||Upgrade target|| |com.fasterxml.jackson.core|jackson-core|2.3.1|2.8.9| Security vulnerability: http://www.cvedetails.com/cve/CVE-2016-7051/ Please do: - double check the newest version. - consider to remove a dependency if better alternative is available. - check whether the lib change would introduce a backward incompatibility (in which case please add this label `breaking_change` and fix version should be the next major) -- This message was sent by Atlassian JIRA (v6.4.14#64029)