[jira] [Commented] (FLUME-1520) Timestamp interceptor should support custom headers
[ https://issues.apache.org/jira/browse/FLUME-1520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16096017#comment-16096017 ] Denes Arvay commented on FLUME-1520: Thank you all for the contribution, I'll commit the latest patch if there are no concerns. > Timestamp interceptor should support custom headers > --- > > Key: FLUME-1520 > URL: https://issues.apache.org/jira/browse/FLUME-1520 > Project: Flume > Issue Type: Improvement >Reporter: Hari Shreedharan >Assignee: Hari Shreedharan > Fix For: 1.8.0 > > Attachments: FLUME-1520-2.patch, FLUME-1520-3.patch, FLUME-1520.patch > > -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (FLUME-3131) Upgrade spring framework library dependencies
[ https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16095935#comment-16095935 ] Attila Simon commented on FLUME-3131: - After looking at your patch now it is clear that you wanted to achieve what I wrote above. Have you considered pulling in the https://search.maven.org/#artifactdetails%7Cjavax.jms%7Cjms-api%7C1.1-rev-1%7Cjar instead of the geronimo shaded version? > Upgrade spring framework library dependencies > - > > Key: FLUME-3131 > URL: https://issues.apache.org/jira/browse/FLUME-3131 > Project: Flume > Issue Type: Bug >Affects Versions: 1.7.0 >Reporter: Attila Simon >Assignee: Ferenc Szabo >Priority: Critical > Labels: dependency > Fix For: 1.8.0 > > Attachments: FLUME-3131.patch > > > ||Group||Artifact||Version used||Upgrade target|| > |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,| > |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,| > |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,| > Security vulnerability: > https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html > Maven repositories: > - https://mvnrepository.com/artifact/org.springframework/spring-aop > - https://mvnrepository.com/artifact/org.springframework/spring-context > - https://mvnrepository.com/artifact/org.springframework/spring-core > Please do: > - CVE might be a false alarm or mistake. Please double check. > - double check the newest version. > - consider to remove a dependency if better alternative is available. > - check whether the lib change would introduce a backward incompatibility (in > which case please add this label `breaking_change` and fix version should be > the next major) > Excerpt from mvn dependency:tree > {noformat} > org.apache.flume.flume-ng-sources:flume-jms-source:jar:1.8.0-SNAPSHOT > \- org.apache.activemq:activemq-core:jar:5.7.0:provided >+- org.springframework:spring-context:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-aop:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-beans:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-core:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-expression:jar:3.0.7.RELEASE:provided >| \- org.springframework:spring-asm:jar:3.0.7.RELEASE:provided > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Comment Edited] (FLUME-3131) Upgrade spring framework library dependencies
[ https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16095870#comment-16095870 ] Attila Simon edited comment on FLUME-3131 at 7/21/17 6:56 AM: -- Hi [~fszabo], In general I'm fine with any approach which getting us closer to the state that flume is not vulnerable based on our understanding. Indeed it looks like test only. But having a closer look it seems like that activemq (parent dependency of spring and also brings in geronimo) also falls into the same category. I would also consider update the version of the activemq in case it still passes testing and doesn't bring in undesired dependencies transitively. (This in turn might help resolving this ticket by either removing the spring dependency completely or pulling in a "better" one) {noformat} ⏚ [~/ws/apache/flume] trunk ± ag activemq * flume-ng-doc/sphinx/FlumeUserGuide.rst 932:application it should work with any JMS provider but has only been tested with ActiveMQ. 945:**initialContextFactory** -- Inital Context Factory, e.g: org.apache.activemq.jndi.ActiveMQInitialContextFactory 994: a1.sources.r1.initialContextFactory = org.apache.activemq.jndi.ActiveMQInitialContextFactory flume-ng-sources/flume-jms-source/pom.xml 74: org.apache.activemq 75: activemq-core flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestIntegrationActiveMQ.java 37:import org.apache.activemq.ActiveMQConnectionFactory; 38:import org.apache.activemq.broker.BrokerPlugin; 39:import org.apache.activemq.broker.BrokerService; 40:import org.apache.activemq.security.AuthenticationUser; 41:import org.apache.activemq.security.SimpleAuthenticationPlugin; 57:public class TestIntegrationActiveMQ { 60: "org.apache.activemq.jndi.ActiveMQInitialContextFactory"; 65: // specific for dynamic queues on ActiveMq 133:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME, 154:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME, pom.xml 1081:org.apache.activemq 1082:activemq-core {noformat} was (Author: sati): Hi [~fszabo], In general I'm fine with any approach which getting us closer to the state that flume is not vulnerable based on our understanding. Indeed it looks like test only. But having a closer look it seems like that activemq (parent dependency of geronimo) also falls into the same category. I would also consider update the version of the activemq in case it still passes testing and doesn't bring in undesired dependencies transitively. (This in turn might help resolving this ticket by either removing the spring dependency completely or pulling in a "better" one) {noformat} ⏚ [~/ws/apache/flume] trunk ± ag activemq * flume-ng-doc/sphinx/FlumeUserGuide.rst 932:application it should work with any JMS provider but has only been tested with ActiveMQ. 945:**initialContextFactory** -- Inital Context Factory, e.g: org.apache.activemq.jndi.ActiveMQInitialContextFactory 994: a1.sources.r1.initialContextFactory = org.apache.activemq.jndi.ActiveMQInitialContextFactory flume-ng-sources/flume-jms-source/pom.xml 74: org.apache.activemq 75: activemq-core flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestIntegrationActiveMQ.java 37:import org.apache.activemq.ActiveMQConnectionFactory; 38:import org.apache.activemq.broker.BrokerPlugin; 39:import org.apache.activemq.broker.BrokerService; 40:import org.apache.activemq.security.AuthenticationUser; 41:import org.apache.activemq.security.SimpleAuthenticationPlugin; 57:public class TestIntegrationActiveMQ { 60: "org.apache.activemq.jndi.ActiveMQInitialContextFactory"; 65: // specific for dynamic queues on ActiveMq 133:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME, 154:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME, pom.xml 1081:org.apache.activemq 1082:activemq-core {noformat} > Upgrade spring framework library dependencies > - > > Key: FLUME-3131 > URL: https://issues.apache.org/jira/browse/FLUME-3131 > Project: Flume > Issue Type: Bug >Affects Versions: 1.7.0 >Reporter: Attila Simon >Assignee: Ferenc Szabo >Priority: Critical > Labels: dependency > Fix For: 1.8.0 > > Attachments: FLUME-3131.patch > > > ||Group||Artifact||Version used||Upgrade target|| > |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,| > |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,| > |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,| > Security vulnerability: > https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html > Maven
[jira] [Commented] (FLUME-3131) Upgrade spring framework library dependencies
[ https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16095870#comment-16095870 ] Attila Simon commented on FLUME-3131: - Hi [~fszabo], In general I'm fine with any approach which getting us closer to the state that flume is not vulnerable based on our understanding. Indeed it looks like test only. But having a closer look it seems like that activemq (parent dependency of geronimo) also falls into the same category. I would also consider update the version of the activemq in case it still passes testing and doesn't bring in undesired dependencies transitively. (This in turn might help resolving this ticket by either removing the spring dependency completely or pulling in a "better" one) {noformat} ⏚ [~/ws/apache/flume] trunk ± ag activemq * flume-ng-doc/sphinx/FlumeUserGuide.rst 932:application it should work with any JMS provider but has only been tested with ActiveMQ. 945:**initialContextFactory** -- Inital Context Factory, e.g: org.apache.activemq.jndi.ActiveMQInitialContextFactory 994: a1.sources.r1.initialContextFactory = org.apache.activemq.jndi.ActiveMQInitialContextFactory flume-ng-sources/flume-jms-source/pom.xml 74: org.apache.activemq 75: activemq-core flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestIntegrationActiveMQ.java 37:import org.apache.activemq.ActiveMQConnectionFactory; 38:import org.apache.activemq.broker.BrokerPlugin; 39:import org.apache.activemq.broker.BrokerService; 40:import org.apache.activemq.security.AuthenticationUser; 41:import org.apache.activemq.security.SimpleAuthenticationPlugin; 57:public class TestIntegrationActiveMQ { 60: "org.apache.activemq.jndi.ActiveMQInitialContextFactory"; 65: // specific for dynamic queues on ActiveMq 133:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME, 154:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME, pom.xml 1081:org.apache.activemq 1082:activemq-core {noformat} > Upgrade spring framework library dependencies > - > > Key: FLUME-3131 > URL: https://issues.apache.org/jira/browse/FLUME-3131 > Project: Flume > Issue Type: Bug >Affects Versions: 1.7.0 >Reporter: Attila Simon >Assignee: Ferenc Szabo >Priority: Critical > Labels: dependency > Fix For: 1.8.0 > > Attachments: FLUME-3131.patch > > > ||Group||Artifact||Version used||Upgrade target|| > |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,| > |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,| > |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,| > Security vulnerability: > https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html > Maven repositories: > - https://mvnrepository.com/artifact/org.springframework/spring-aop > - https://mvnrepository.com/artifact/org.springframework/spring-context > - https://mvnrepository.com/artifact/org.springframework/spring-core > Please do: > - CVE might be a false alarm or mistake. Please double check. > - double check the newest version. > - consider to remove a dependency if better alternative is available. > - check whether the lib change would introduce a backward incompatibility (in > which case please add this label `breaking_change` and fix version should be > the next major) > Excerpt from mvn dependency:tree > {noformat} > org.apache.flume.flume-ng-sources:flume-jms-source:jar:1.8.0-SNAPSHOT > \- org.apache.activemq:activemq-core:jar:5.7.0:provided >+- org.springframework:spring-context:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-aop:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-beans:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-core:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-expression:jar:3.0.7.RELEASE:provided >| \- org.springframework:spring-asm:jar:3.0.7.RELEASE:provided > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)