[jira] [Commented] (FLUME-1520) Timestamp interceptor should support custom headers
[ https://issues.apache.org/jira/browse/FLUME-1520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16096017#comment-16096017 ] Denes Arvay commented on FLUME-1520: Thank you all for the contribution, I'll commit the latest patch if there are no concerns. > Timestamp interceptor should support custom headers > --- > > Key: FLUME-1520 > URL: https://issues.apache.org/jira/browse/FLUME-1520 > Project: Flume > Issue Type: Improvement >Reporter: Hari Shreedharan >Assignee: Hari Shreedharan > Fix For: 1.8.0 > > Attachments: FLUME-1520-2.patch, FLUME-1520-3.patch, FLUME-1520.patch > > -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (FLUME-3131) Upgrade spring framework library dependencies
[
https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16095935#comment-16095935
]
Attila Simon commented on FLUME-3131:
-
After looking at your patch now it is clear that you wanted to achieve what I
wrote above. Have you considered pulling in the
https://search.maven.org/#artifactdetails%7Cjavax.jms%7Cjms-api%7C1.1-rev-1%7Cjar
instead of the geronimo shaded version?
> Upgrade spring framework library dependencies
> -
>
> Key: FLUME-3131
> URL: https://issues.apache.org/jira/browse/FLUME-3131
> Project: Flume
> Issue Type: Bug
>Affects Versions: 1.7.0
>Reporter: Attila Simon
>Assignee: Ferenc Szabo
>Priority: Critical
> Labels: dependency
> Fix For: 1.8.0
>
> Attachments: FLUME-3131.patch
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,|
> Security vulnerability:
> https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html
> Maven repositories:
> - https://mvnrepository.com/artifact/org.springframework/spring-aop
> - https://mvnrepository.com/artifact/org.springframework/spring-context
> - https://mvnrepository.com/artifact/org.springframework/spring-core
> Please do:
> - CVE might be a false alarm or mistake. Please double check.
> - double check the newest version.
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in
> which case please add this label `breaking_change` and fix version should be
> the next major)
> Excerpt from mvn dependency:tree
> {noformat}
> org.apache.flume.flume-ng-sources:flume-jms-source:jar:1.8.0-SNAPSHOT
> \- org.apache.activemq:activemq-core:jar:5.7.0:provided
>+- org.springframework:spring-context:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-aop:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-beans:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-core:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-expression:jar:3.0.7.RELEASE:provided
>| \- org.springframework:spring-asm:jar:3.0.7.RELEASE:provided
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Comment Edited] (FLUME-3131) Upgrade spring framework library dependencies
[
https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16095870#comment-16095870
]
Attila Simon edited comment on FLUME-3131 at 7/21/17 6:56 AM:
--
Hi [~fszabo],
In general I'm fine with any approach which getting us closer to the state that
flume is not vulnerable based on our understanding.
Indeed it looks like test only. But having a closer look it seems like that
activemq (parent dependency of spring and also brings in geronimo) also falls
into the same category. I would also consider update the version of the
activemq in case it still passes testing and doesn't bring in undesired
dependencies transitively. (This in turn might help resolving this ticket by
either removing the spring dependency completely or pulling in a "better" one)
{noformat}
⏚ [~/ws/apache/flume] trunk ± ag activemq *
flume-ng-doc/sphinx/FlumeUserGuide.rst
932:application it should work with any JMS provider but has only been tested
with ActiveMQ.
945:**initialContextFactory** -- Inital Context Factory, e.g:
org.apache.activemq.jndi.ActiveMQInitialContextFactory
994: a1.sources.r1.initialContextFactory =
org.apache.activemq.jndi.ActiveMQInitialContextFactory
flume-ng-sources/flume-jms-source/pom.xml
74: org.apache.activemq
75: activemq-core
flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestIntegrationActiveMQ.java
37:import org.apache.activemq.ActiveMQConnectionFactory;
38:import org.apache.activemq.broker.BrokerPlugin;
39:import org.apache.activemq.broker.BrokerService;
40:import org.apache.activemq.security.AuthenticationUser;
41:import org.apache.activemq.security.SimpleAuthenticationPlugin;
57:public class TestIntegrationActiveMQ {
60: "org.apache.activemq.jndi.ActiveMQInitialContextFactory";
65: // specific for dynamic queues on ActiveMq
133:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
154:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
pom.xml
1081:org.apache.activemq
1082:activemq-core
{noformat}
was (Author: sati):
Hi [~fszabo],
In general I'm fine with any approach which getting us closer to the state that
flume is not vulnerable based on our understanding.
Indeed it looks like test only. But having a closer look it seems like that
activemq (parent dependency of geronimo) also falls into the same category. I
would also consider update the version of the activemq in case it still passes
testing and doesn't bring in undesired dependencies transitively. (This in turn
might help resolving this ticket by either removing the spring dependency
completely or pulling in a "better" one)
{noformat}
⏚ [~/ws/apache/flume] trunk ± ag activemq *
flume-ng-doc/sphinx/FlumeUserGuide.rst
932:application it should work with any JMS provider but has only been tested
with ActiveMQ.
945:**initialContextFactory** -- Inital Context Factory, e.g:
org.apache.activemq.jndi.ActiveMQInitialContextFactory
994: a1.sources.r1.initialContextFactory =
org.apache.activemq.jndi.ActiveMQInitialContextFactory
flume-ng-sources/flume-jms-source/pom.xml
74: org.apache.activemq
75: activemq-core
flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestIntegrationActiveMQ.java
37:import org.apache.activemq.ActiveMQConnectionFactory;
38:import org.apache.activemq.broker.BrokerPlugin;
39:import org.apache.activemq.broker.BrokerService;
40:import org.apache.activemq.security.AuthenticationUser;
41:import org.apache.activemq.security.SimpleAuthenticationPlugin;
57:public class TestIntegrationActiveMQ {
60: "org.apache.activemq.jndi.ActiveMQInitialContextFactory";
65: // specific for dynamic queues on ActiveMq
133:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
154:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
pom.xml
1081:org.apache.activemq
1082:activemq-core
{noformat}
> Upgrade spring framework library dependencies
> -
>
> Key: FLUME-3131
> URL: https://issues.apache.org/jira/browse/FLUME-3131
> Project: Flume
> Issue Type: Bug
>Affects Versions: 1.7.0
>Reporter: Attila Simon
>Assignee: Ferenc Szabo
>Priority: Critical
> Labels: dependency
> Fix For: 1.8.0
>
> Attachments: FLUME-3131.patch
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,|
> Security vulnerability:
> https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html
> Maven
[jira] [Commented] (FLUME-3131) Upgrade spring framework library dependencies
[
https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16095870#comment-16095870
]
Attila Simon commented on FLUME-3131:
-
Hi [~fszabo],
In general I'm fine with any approach which getting us closer to the state that
flume is not vulnerable based on our understanding.
Indeed it looks like test only. But having a closer look it seems like that
activemq (parent dependency of geronimo) also falls into the same category. I
would also consider update the version of the activemq in case it still passes
testing and doesn't bring in undesired dependencies transitively. (This in turn
might help resolving this ticket by either removing the spring dependency
completely or pulling in a "better" one)
{noformat}
⏚ [~/ws/apache/flume] trunk ± ag activemq *
flume-ng-doc/sphinx/FlumeUserGuide.rst
932:application it should work with any JMS provider but has only been tested
with ActiveMQ.
945:**initialContextFactory** -- Inital Context Factory, e.g:
org.apache.activemq.jndi.ActiveMQInitialContextFactory
994: a1.sources.r1.initialContextFactory =
org.apache.activemq.jndi.ActiveMQInitialContextFactory
flume-ng-sources/flume-jms-source/pom.xml
74: org.apache.activemq
75: activemq-core
flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestIntegrationActiveMQ.java
37:import org.apache.activemq.ActiveMQConnectionFactory;
38:import org.apache.activemq.broker.BrokerPlugin;
39:import org.apache.activemq.broker.BrokerService;
40:import org.apache.activemq.security.AuthenticationUser;
41:import org.apache.activemq.security.SimpleAuthenticationPlugin;
57:public class TestIntegrationActiveMQ {
60: "org.apache.activemq.jndi.ActiveMQInitialContextFactory";
65: // specific for dynamic queues on ActiveMq
133:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
154:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
pom.xml
1081:org.apache.activemq
1082:activemq-core
{noformat}
> Upgrade spring framework library dependencies
> -
>
> Key: FLUME-3131
> URL: https://issues.apache.org/jira/browse/FLUME-3131
> Project: Flume
> Issue Type: Bug
>Affects Versions: 1.7.0
>Reporter: Attila Simon
>Assignee: Ferenc Szabo
>Priority: Critical
> Labels: dependency
> Fix For: 1.8.0
>
> Attachments: FLUME-3131.patch
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,|
> |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,|
> Security vulnerability:
> https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html
> Maven repositories:
> - https://mvnrepository.com/artifact/org.springframework/spring-aop
> - https://mvnrepository.com/artifact/org.springframework/spring-context
> - https://mvnrepository.com/artifact/org.springframework/spring-core
> Please do:
> - CVE might be a false alarm or mistake. Please double check.
> - double check the newest version.
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in
> which case please add this label `breaking_change` and fix version should be
> the next major)
> Excerpt from mvn dependency:tree
> {noformat}
> org.apache.flume.flume-ng-sources:flume-jms-source:jar:1.8.0-SNAPSHOT
> \- org.apache.activemq:activemq-core:jar:5.7.0:provided
>+- org.springframework:spring-context:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-aop:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-beans:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-core:jar:3.0.7.RELEASE:provided
>| +- org.springframework:spring-expression:jar:3.0.7.RELEASE:provided
>| \- org.springframework:spring-asm:jar:3.0.7.RELEASE:provided
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
