[jira] [Work logged] (HDDS-2150) Update dependency versions to avoid security vulnerabilities
[ https://issues.apache.org/jira/browse/HDDS-2150?focusedWorklogId=316069=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-316069 ] ASF GitHub Bot logged work on HDDS-2150: Author: ASF GitHub Bot Created on: 21/Sep/19 06:21 Start Date: 21/Sep/19 06:21 Worklog Time Spent: 10m Work Description: bharatviswa504 commented on pull request #1472: HDDS-2150. Update dependency versions to avoid security vulnerabilities. URL: https://github.com/apache/hadoop/pull/1472 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 316069) Time Spent: 50m (was: 40m) > Update dependency versions to avoid security vulnerabilities > > > Key: HDDS-2150 > URL: https://issues.apache.org/jira/browse/HDDS-2150 > Project: Hadoop Distributed Data Store > Issue Type: Bug >Reporter: Hanisha Koneru >Assignee: Hanisha Koneru >Priority: Major > Labels: pull-request-available > Time Spent: 50m > Remaining Estimate: 0h > > The following dependency versions have known security vulnerabilities. We > should update them to recent/ later versions. > * Apache Thrift 0.11.0 > * Apache Zookeeper 3.4.13 > * Jetty Servlet 9.3.24 -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Work logged] (HDDS-2150) Update dependency versions to avoid security vulnerabilities
[ https://issues.apache.org/jira/browse/HDDS-2150?focusedWorklogId=315484=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-315484 ] ASF GitHub Bot logged work on HDDS-2150: Author: ASF GitHub Bot Created on: 20/Sep/19 06:07 Start Date: 20/Sep/19 06:07 Worklog Time Spent: 10m Work Description: adoroszlai commented on pull request #1472: HDDS-2150. Update dependency versions to avoid security vulnerabilities. URL: https://github.com/apache/hadoop/pull/1472#discussion_r326482196 ## File path: dependencyTree- ## @@ -0,0 +1,4202 @@ +[INFO] Scanning for projects... +[INFO] +[INFO] Detecting the operating system and CPU architecture +[INFO] +[INFO] os.detected.name: osx +[INFO] os.detected.arch: x86_64 +[INFO] os.detected.version: 10.14 +[INFO] os.detected.version.major: 10 +[INFO] os.detected.version.minor: 14 +[INFO] os.detected.classifier: osx-x86_64 +[INFO] +[INFO] Reactor Build Order: +[INFO] +[INFO] Apache Hadoop Ozone Main [pom] +[INFO] Apache Hadoop HDDS [pom] +[INFO] Apache Hadoop HDDS Config [jar] +[INFO] Apache Hadoop HDDS Common [jar] +[INFO] Apache Hadoop HDDS Client [jar] +[INFO] Apache Hadoop HDDS Server Framework[jar] +[INFO] Apache Hadoop HDDS Container Service [jar] +[INFO] Apache Hadoop HDDS/Ozone Documentation [jar] +[INFO] Apache Hadoop HDDS SCM Server [jar] +[INFO] Apache Hadoop HDDS Tools [jar] +[INFO] Apache Hadoop Ozone[pom] +[INFO] Apache Hadoop Ozone Common [jar] +[INFO] Apache Hadoop Ozone Client [jar] +[INFO] Apache Hadoop Ozone Manager Server [jar] +[INFO] Apache Hadoop Ozone S3 Gateway [jar] +[INFO] Apache Hadoop Ozone CSI service[jar] +[INFO] Apache Hadoop Ozone Recon CodeGen [jar] +[INFO] Apache Hadoop Ozone Recon [jar] +[INFO] Apache Hadoop Ozone Integration Tests [jar] +[INFO] Apache Hadoop Ozone FileSystem [jar] +[INFO] Apache Hadoop Ozone FileSystem Single Jar Library [jar] +[INFO] Apache Hadoop Ozone FileSystem Legacy Jar Library [jar] +[INFO] Apache Hadoop Ozone Tools [jar] +[INFO] Apache Hadoop Ozone Datanode [jar] +[INFO] Apache Hadoop Ozone In-Place Upgrade [jar] +[INFO] Apache Hadoop Ozone Insight Tool [jar] +[INFO] Apache Hadoop Ozone Distribution [pom] +[INFO] Apache Hadoop Ozone Fault Injection Tests [pom] +[INFO] Apache Hadoop Ozone Network Tests [jar] +[INFO] +[INFO] < org.apache.hadoop:hadoop-main-ozone >- +[INFO] Building Apache Hadoop Ozone Main 0.5.0-SNAPSHOT [1/29] +[INFO] [ pom ]- +[INFO] +[INFO] --- maven-dependency-plugin:3.0.2:tree (default-cli) @ hadoop-main-ozone --- +[INFO] org.apache.hadoop:hadoop-main-ozone:pom:0.5.0-SNAPSHOT +[INFO] +[INFO] ---< org.apache.hadoop:hadoop-hdds > +[INFO] Building Apache Hadoop HDDS 0.5.0-SNAPSHOT[2/29] +[INFO] [ pom ]- +[INFO] +[INFO] --- maven-dependency-plugin:3.0.2:tree (default-cli) @ hadoop-hdds --- +[INFO] org.apache.hadoop:hadoop-hdds:pom:0.5.0-SNAPSHOT +[INFO] +- org.apache.hadoop:hadoop-common:jar:3.2.0:compile +[INFO] | +- org.apache.hadoop:hadoop-annotations:jar:3.2.0:compile +[INFO] | | \- jdk.tools:jdk.tools:jar:1.8:system +[INFO] | +- commons-cli:commons-cli:jar:1.2:compile +[INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile +[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.2:compile +[INFO] | | \- org.apache.httpcomponents:httpcore:jar:4.4.4:compile +[INFO] | +- commons-codec:commons-codec:jar:1.11:compile +[INFO] | +- commons-io:commons-io:jar:2.5:compile +[INFO] | +-
[jira] [Work logged] (HDDS-2150) Update dependency versions to avoid security vulnerabilities
[ https://issues.apache.org/jira/browse/HDDS-2150?focusedWorklogId=315374=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-315374 ] ASF GitHub Bot logged work on HDDS-2150: Author: ASF GitHub Bot Created on: 19/Sep/19 23:48 Start Date: 19/Sep/19 23:48 Worklog Time Spent: 10m Work Description: hanishakoneru commented on issue #1472: HDDS-2150. Update dependency versions to avoid security vulnerabilities. URL: https://github.com/apache/hadoop/pull/1472#issuecomment-533349484 Thank you @adoroszlai . I have updated the jaeger tracing version to 0.34.0. Also removed the zookeeper dependency from ozone. Ozone does not need a direct dependency on zookeeper. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 315374) Time Spent: 0.5h (was: 20m) > Update dependency versions to avoid security vulnerabilities > > > Key: HDDS-2150 > URL: https://issues.apache.org/jira/browse/HDDS-2150 > Project: Hadoop Distributed Data Store > Issue Type: Bug >Reporter: Hanisha Koneru >Assignee: Hanisha Koneru >Priority: Major > Labels: pull-request-available > Time Spent: 0.5h > Remaining Estimate: 0h > > The following dependency versions have known security vulnerabilities. We > should update them to recent/ later versions. > * Apache Thrift 0.11.0 > * Apache Zookeeper 3.4.13 > * Jetty Servlet 9.3.24 -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Work logged] (HDDS-2150) Update dependency versions to avoid security vulnerabilities
[ https://issues.apache.org/jira/browse/HDDS-2150?focusedWorklogId=314919=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-314919 ] ASF GitHub Bot logged work on HDDS-2150: Author: ASF GitHub Bot Created on: 19/Sep/19 09:28 Start Date: 19/Sep/19 09:28 Worklog Time Spent: 10m Work Description: adoroszlai commented on pull request #1472: HDDS-2150. Update dependency versions to avoid security vulnerabilities. URL: https://github.com/apache/hadoop/pull/1472#discussion_r326073658 ## File path: pom.ozone.xml ## @@ -127,6 +127,9 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xs 1.9.13 2.9.9 + +1.0.0 Review comment: Jaeger 1.0 depends on newer OpenTracing (0.33), which is not backwards compatible. https://github.com/opentracing/opentracing-java/pull/339 https://github.com/opentracing/opentracing-java#deprecated-members-since-031 `hadoop-hdds-common` compiles only due to explicit dependency on `opentracing-util` 0.31.0. However, it fails at runtime with [`NoSuchMethodError`](https://github.com/elek/ozone-ci/blob/259712a9df53dd8531786e23676ebed13f527918/pr/pr-hdds-2150-pzdq9/integration/hadoop-ozone/ozonefs/org.apache.hadoop.fs.ozone.contract.ITestOzoneContractDistCp.txt#L6). For the security fix I think it is enough to upgrade to Jaeger 0.34, which [updated Apache Thrift to 0.12](https://github.com/jaegertracing/jaeger-client-java/blob/136a849202e8d0a95e007e6faae38f1519cdba55/build.gradle#L22). [Latest Jaeger Client release](https://github.com/jaegertracing/jaeger-client-java/releases/latest) 0.35.2 should be OK, too, as it depends on OpenTracing 0.32, which still has the deprecated methods. In this case OpenTracing version should be changed to 0.32.0. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 314919) Time Spent: 20m (was: 10m) > Update dependency versions to avoid security vulnerabilities > > > Key: HDDS-2150 > URL: https://issues.apache.org/jira/browse/HDDS-2150 > Project: Hadoop Distributed Data Store > Issue Type: Bug >Reporter: Hanisha Koneru >Assignee: Hanisha Koneru >Priority: Major > Labels: pull-request-available > Time Spent: 20m > Remaining Estimate: 0h > > The following dependency versions have known security vulnerabilities. We > should update them to recent/ later versions. > * Apache Thrift 0.11.0 > * Apache Zookeeper 3.4.13 > * Jetty Servlet 9.3.24 -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Work logged] (HDDS-2150) Update dependency versions to avoid security vulnerabilities
[ https://issues.apache.org/jira/browse/HDDS-2150?focusedWorklogId=314678=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-314678 ] ASF GitHub Bot logged work on HDDS-2150: Author: ASF GitHub Bot Created on: 18/Sep/19 21:45 Start Date: 18/Sep/19 21:45 Worklog Time Spent: 10m Work Description: hanishakoneru commented on pull request #1472: HDDS-2150. Update dependency versions to avoid security vulnerabilities. URL: https://github.com/apache/hadoop/pull/1472 The following dependency versions have known security vulnerabilities. We should update them to recent/ later versions. - Apache Thrift 0.11.0 (dependency of JaegerTracing) - Apache Zookeeper 3.4.13 - Jetty Servlet 9.3.24 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 314678) Remaining Estimate: 0h Time Spent: 10m > Update dependency versions to avoid security vulnerabilities > > > Key: HDDS-2150 > URL: https://issues.apache.org/jira/browse/HDDS-2150 > Project: Hadoop Distributed Data Store > Issue Type: Bug >Reporter: Hanisha Koneru >Assignee: Hanisha Koneru >Priority: Major > Labels: pull-request-available > Time Spent: 10m > Remaining Estimate: 0h > > The following dependency versions have known security vulnerabilities. We > should update them to recent/ later versions. > * Apache Thrift 0.11.0 > * Apache Zookeeper 3.4.13 > * Jetty Servlet 9.3.24 -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org