[jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3

2018-01-19 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16332202#comment-16332202
 ] 

ASF GitHub Bot commented on FLINK-8156:
---

Github user asfgit closed the pull request at:

https://github.com/apache/flink/pull/5113


> Bump commons-beanutils version to 1.9.3
> ---
>
> Key: FLINK-8156
> URL: https://issues.apache.org/jira/browse/FLINK-8156
> Project: Flink
>  Issue Type: Bug
>  Components: Build System
>Affects Versions: 1.4.0
>Reporter: Hai Zhou UTC+8
>Assignee: Hai Zhou UTC+8
>Priority: Major
> Fix For: 1.5.0
>
>
> Commons-beanutils v1.8.0 dependency is not security compliant. See 
> [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]:
> {code:java}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar 
> in Apache Struts 1.x through 1.3.10 and in other products requiring 
> commons-beanutils through 1.9.2, does not suppress the class property, which 
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary 
> code via the class parameter, as demonstrated by the passing of this 
> parameter to the getClass method of the ActionForm object in Struts 1.
> {code}
> Note that current version commons-beanutils 1.9.2 in turn has a CVE in its 
> dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is 
> fixed in 1.9.3.
> We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3

2018-01-18 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16330807#comment-16330807
 ] 

ASF GitHub Bot commented on FLINK-8156:
---

Github user StephanEwen commented on the issue:

https://github.com/apache/flink/pull/5113
  
Thank you, merging this...


> Bump commons-beanutils version to 1.9.3
> ---
>
> Key: FLINK-8156
> URL: https://issues.apache.org/jira/browse/FLINK-8156
> Project: Flink
>  Issue Type: Bug
>  Components: Build System
>Affects Versions: 1.4.0
>Reporter: Hai Zhou UTC+8
>Assignee: Hai Zhou UTC+8
>Priority: Major
> Fix For: 1.5.0
>
>
> Commons-beanutils v1.8.0 dependency is not security compliant. See 
> [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]:
> {code:java}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar 
> in Apache Struts 1.x through 1.3.10 and in other products requiring 
> commons-beanutils through 1.9.2, does not suppress the class property, which 
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary 
> code via the class parameter, as demonstrated by the passing of this 
> parameter to the getClass method of the ActionForm object in Struts 1.
> {code}
> Note that current version commons-beanutils 1.9.2 in turn has a CVE in its 
> dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is 
> fixed in 1.9.3.
> We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3

2017-12-17 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16294229#comment-16294229
 ] 

ASF GitHub Bot commented on FLINK-8156:
---

Github user yew1eb commented on the issue:

https://github.com/apache/flink/pull/5113
  
Thanks @StephanEwen for the suggestion. I will update the PR accordingly.


> Bump commons-beanutils version to 1.9.3
> ---
>
> Key: FLINK-8156
> URL: https://issues.apache.org/jira/browse/FLINK-8156
> Project: Flink
>  Issue Type: Bug
>  Components: Build System
>Affects Versions: 1.4.0
>Reporter: Hai Zhou UTC+8
>Assignee: Hai Zhou UTC+8
> Fix For: 1.5.0
>
>
> Commons-beanutils v1.8.0 dependency is not security compliant. See 
> [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]:
> {code:java}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar 
> in Apache Struts 1.x through 1.3.10 and in other products requiring 
> commons-beanutils through 1.9.2, does not suppress the class property, which 
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary 
> code via the class parameter, as demonstrated by the passing of this 
> parameter to the getClass method of the ActionForm object in Struts 1.
> {code}
> Note that current version commons-beanutils 1.9.2 in turn has a CVE in its 
> dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is 
> fixed in 1.9.3.
> We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3

2017-12-15 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16293040#comment-16293040
 ] 

ASF GitHub Bot commented on FLINK-8156:
---

Github user StephanEwen commented on the issue:

https://github.com/apache/flink/pull/5113
  
Good change, thank you!

Given that beanutils is not used directly by Flink, but only by Hadoop 
(which we try to depend on less and less), could you move the dependency 
management entry for that to the `flink-shaded-hadoop` parent project?


> Bump commons-beanutils version to 1.9.3
> ---
>
> Key: FLINK-8156
> URL: https://issues.apache.org/jira/browse/FLINK-8156
> Project: Flink
>  Issue Type: Bug
>  Components: Build System
>Affects Versions: 1.4.0
>Reporter: Hai Zhou UTC+8
>Assignee: Hai Zhou UTC+8
> Fix For: 1.5.0
>
>
> Commons-beanutils v1.8.0 dependency is not security compliant. See 
> [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]:
> {code:java}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar 
> in Apache Struts 1.x through 1.3.10 and in other products requiring 
> commons-beanutils through 1.9.2, does not suppress the class property, which 
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary 
> code via the class parameter, as demonstrated by the passing of this 
> parameter to the getClass method of the ActionForm object in Struts 1.
> {code}
> Note that current version commons-beanutils 1.9.2 in turn has a CVE in its 
> dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is 
> fixed in 1.9.3.
> We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3

2017-12-03 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16275883#comment-16275883
 ] 

ASF GitHub Bot commented on FLINK-8156:
---

Github user yew1eb commented on a diff in the pull request:

https://github.com/apache/flink/pull/5113#discussion_r154520820
  
--- Diff: pom.xml ---
@@ -367,11 +367,10 @@ under the License.
3.2.2

 
-   

commons-beanutils
-   
commons-beanutils-bean-collections
-   1.8.3
+   commons-beanutils
+   1.9.3
--- End diff --

The 1.8.x releases of BeanUtils have distributed three jars:
- commons-beanutils.jar - contains everything
- commons-beanutils-core.jar - excludes Bean Collections classes
- commons-beanutils-bean-collections.jar - only Bean Collections classes

Version 1.9.0 reverts this split for reasons outlined at 
[BEANUTILS-379](http://issues.apache.org/jira/browse/BEANUTILS-379). There is 
now only one jar for the BeanUtils library.



> Bump commons-beanutils version to 1.9.3
> ---
>
> Key: FLINK-8156
> URL: https://issues.apache.org/jira/browse/FLINK-8156
> Project: Flink
>  Issue Type: Bug
>  Components: Build System
>Affects Versions: 1.4.0
>Reporter: Hai Zhou UTC+8
>Assignee: Hai Zhou UTC+8
> Fix For: 1.5.0
>
>
> Commons-beanutils v1.8.0 dependency is not security compliant. See 
> [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]:
> {code:java}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar 
> in Apache Struts 1.x through 1.3.10 and in other products requiring 
> commons-beanutils through 1.9.2, does not suppress the class property, which 
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary 
> code via the class parameter, as demonstrated by the passing of this 
> parameter to the getClass method of the ActionForm object in Struts 1.
> {code}
> Note that current version commons-beanutils 1.9.2 in turn has a CVE in its 
> dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is 
> fixed in 1.9.3.
> We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3

2017-12-03 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16275882#comment-16275882
 ] 

ASF GitHub Bot commented on FLINK-8156:
---

GitHub user yew1eb opened a pull request:

https://github.com/apache/flink/pull/5113

[FLINK-8156][build] Bump commons-beanutils version to 1.9.3

## What is the purpose of the change
Commons-beanutils v1.8.0 dependency is not security compliant. See 
[CVE-2014-0114](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114)

> Apache Commons BeanUtils, as distributed in 
lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in 
other products requiring commons-beanutils through 1.9.2, does not suppress the 
class property, which allows remote attackers to "manipulate" the ClassLoader 
and execute arbitrary code via the class parameter, as demonstrated by the 
passing of this parameter to the getClass method of the ActionForm object in 
Struts 1.

the version commons-beanutils 1.9.2 in turn has a CVE in its dependency 
commons-collections 
([CVE-2015-6420](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6420), 
see [BEANUTILS-488](https://issues.apache.org/jira/browse/BEANUTILS-488)), 
which is fixed in 1.9.3.

We should upgrade commons-beanutils from 1.8.3 to 1.9.3.


## Does this pull request potentially affect one of the following parts:

  - Dependencies (does it add or upgrade a dependency): (**yes** / no)
  - The public API, i.e., is any changed class annotated with 
`@Public(Evolving)`: (yes / **no**)
  - The serializers: (yes / **no** / don't know)
  - The runtime per-record code paths (performance sensitive): (yes / 
**no** / don't know)
  - Anything that affects deployment or recovery: JobManager (and its 
components), Checkpointing, Yarn/Mesos, ZooKeeper: (yes / **no** / don't know)
  - The S3 file system connector: (yes / **no** / don't know)

## Documentation

  - Does this pull request introduce a new feature? (yes / **no**)
  - If yes, how is the feature documented? (not applicable / docs / 
JavaDocs / not documented)


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/yew1eb/flink FLINK-8156

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/flink/pull/5113.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #5113


commit 5c188bc440eed0d50654709a929633a73e35cb56
Author: yew1eb 
Date:   2017-12-03T10:49:22Z

[FLINK-8156][build] Bump commons-beanutils version to 1.9.3




> Bump commons-beanutils version to 1.9.3
> ---
>
> Key: FLINK-8156
> URL: https://issues.apache.org/jira/browse/FLINK-8156
> Project: Flink
>  Issue Type: Bug
>  Components: Build System
>Affects Versions: 1.4.0
>Reporter: Hai Zhou UTC+8
>Assignee: Hai Zhou UTC+8
> Fix For: 1.5.0
>
>
> Commons-beanutils v1.8.0 dependency is not security compliant. See 
> [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]:
> {code:java}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar 
> in Apache Struts 1.x through 1.3.10 and in other products requiring 
> commons-beanutils through 1.9.2, does not suppress the class property, which 
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary 
> code via the class parameter, as demonstrated by the passing of this 
> parameter to the getClass method of the ActionForm object in Struts 1.
> {code}
> Note that current version commons-beanutils 1.9.2 in turn has a CVE in its 
> dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is 
> fixed in 1.9.3.
> We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)