[jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3
[ https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16332202#comment-16332202 ] ASF GitHub Bot commented on FLINK-8156: --- Github user asfgit closed the pull request at: https://github.com/apache/flink/pull/5113 > Bump commons-beanutils version to 1.9.3 > --- > > Key: FLINK-8156 > URL: https://issues.apache.org/jira/browse/FLINK-8156 > Project: Flink > Issue Type: Bug > Components: Build System >Affects Versions: 1.4.0 >Reporter: Hai Zhou UTC+8 >Assignee: Hai Zhou UTC+8 >Priority: Major > Fix For: 1.5.0 > > > Commons-beanutils v1.8.0 dependency is not security compliant. See > [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]: > {code:java} > Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar > in Apache Struts 1.x through 1.3.10 and in other products requiring > commons-beanutils through 1.9.2, does not suppress the class property, which > allows remote attackers to "manipulate" the ClassLoader and execute arbitrary > code via the class parameter, as demonstrated by the passing of this > parameter to the getClass method of the ActionForm object in Struts 1. > {code} > Note that current version commons-beanutils 1.9.2 in turn has a CVE in its > dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is > fixed in 1.9.3. > We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3
[ https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16330807#comment-16330807 ] ASF GitHub Bot commented on FLINK-8156: --- Github user StephanEwen commented on the issue: https://github.com/apache/flink/pull/5113 Thank you, merging this... > Bump commons-beanutils version to 1.9.3 > --- > > Key: FLINK-8156 > URL: https://issues.apache.org/jira/browse/FLINK-8156 > Project: Flink > Issue Type: Bug > Components: Build System >Affects Versions: 1.4.0 >Reporter: Hai Zhou UTC+8 >Assignee: Hai Zhou UTC+8 >Priority: Major > Fix For: 1.5.0 > > > Commons-beanutils v1.8.0 dependency is not security compliant. See > [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]: > {code:java} > Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar > in Apache Struts 1.x through 1.3.10 and in other products requiring > commons-beanutils through 1.9.2, does not suppress the class property, which > allows remote attackers to "manipulate" the ClassLoader and execute arbitrary > code via the class parameter, as demonstrated by the passing of this > parameter to the getClass method of the ActionForm object in Struts 1. > {code} > Note that current version commons-beanutils 1.9.2 in turn has a CVE in its > dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is > fixed in 1.9.3. > We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3
[ https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16294229#comment-16294229 ] ASF GitHub Bot commented on FLINK-8156: --- Github user yew1eb commented on the issue: https://github.com/apache/flink/pull/5113 Thanks @StephanEwen for the suggestion. I will update the PR accordingly. > Bump commons-beanutils version to 1.9.3 > --- > > Key: FLINK-8156 > URL: https://issues.apache.org/jira/browse/FLINK-8156 > Project: Flink > Issue Type: Bug > Components: Build System >Affects Versions: 1.4.0 >Reporter: Hai Zhou UTC+8 >Assignee: Hai Zhou UTC+8 > Fix For: 1.5.0 > > > Commons-beanutils v1.8.0 dependency is not security compliant. See > [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]: > {code:java} > Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar > in Apache Struts 1.x through 1.3.10 and in other products requiring > commons-beanutils through 1.9.2, does not suppress the class property, which > allows remote attackers to "manipulate" the ClassLoader and execute arbitrary > code via the class parameter, as demonstrated by the passing of this > parameter to the getClass method of the ActionForm object in Struts 1. > {code} > Note that current version commons-beanutils 1.9.2 in turn has a CVE in its > dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is > fixed in 1.9.3. > We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3
[ https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16293040#comment-16293040 ] ASF GitHub Bot commented on FLINK-8156: --- Github user StephanEwen commented on the issue: https://github.com/apache/flink/pull/5113 Good change, thank you! Given that beanutils is not used directly by Flink, but only by Hadoop (which we try to depend on less and less), could you move the dependency management entry for that to the `flink-shaded-hadoop` parent project? > Bump commons-beanutils version to 1.9.3 > --- > > Key: FLINK-8156 > URL: https://issues.apache.org/jira/browse/FLINK-8156 > Project: Flink > Issue Type: Bug > Components: Build System >Affects Versions: 1.4.0 >Reporter: Hai Zhou UTC+8 >Assignee: Hai Zhou UTC+8 > Fix For: 1.5.0 > > > Commons-beanutils v1.8.0 dependency is not security compliant. See > [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]: > {code:java} > Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar > in Apache Struts 1.x through 1.3.10 and in other products requiring > commons-beanutils through 1.9.2, does not suppress the class property, which > allows remote attackers to "manipulate" the ClassLoader and execute arbitrary > code via the class parameter, as demonstrated by the passing of this > parameter to the getClass method of the ActionForm object in Struts 1. > {code} > Note that current version commons-beanutils 1.9.2 in turn has a CVE in its > dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is > fixed in 1.9.3. > We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3
[ https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16275883#comment-16275883 ] ASF GitHub Bot commented on FLINK-8156: --- Github user yew1eb commented on a diff in the pull request: https://github.com/apache/flink/pull/5113#discussion_r154520820 --- Diff: pom.xml --- @@ -367,11 +367,10 @@ under the License. 3.2.2 - commons-beanutils - commons-beanutils-bean-collections - 1.8.3 + commons-beanutils + 1.9.3 --- End diff -- The 1.8.x releases of BeanUtils have distributed three jars: - commons-beanutils.jar - contains everything - commons-beanutils-core.jar - excludes Bean Collections classes - commons-beanutils-bean-collections.jar - only Bean Collections classes Version 1.9.0 reverts this split for reasons outlined at [BEANUTILS-379](http://issues.apache.org/jira/browse/BEANUTILS-379). There is now only one jar for the BeanUtils library. > Bump commons-beanutils version to 1.9.3 > --- > > Key: FLINK-8156 > URL: https://issues.apache.org/jira/browse/FLINK-8156 > Project: Flink > Issue Type: Bug > Components: Build System >Affects Versions: 1.4.0 >Reporter: Hai Zhou UTC+8 >Assignee: Hai Zhou UTC+8 > Fix For: 1.5.0 > > > Commons-beanutils v1.8.0 dependency is not security compliant. See > [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]: > {code:java} > Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar > in Apache Struts 1.x through 1.3.10 and in other products requiring > commons-beanutils through 1.9.2, does not suppress the class property, which > allows remote attackers to "manipulate" the ClassLoader and execute arbitrary > code via the class parameter, as demonstrated by the passing of this > parameter to the getClass method of the ActionForm object in Struts 1. > {code} > Note that current version commons-beanutils 1.9.2 in turn has a CVE in its > dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is > fixed in 1.9.3. > We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3
[ https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16275882#comment-16275882 ] ASF GitHub Bot commented on FLINK-8156: --- GitHub user yew1eb opened a pull request: https://github.com/apache/flink/pull/5113 [FLINK-8156][build] Bump commons-beanutils version to 1.9.3 ## What is the purpose of the change Commons-beanutils v1.8.0 dependency is not security compliant. See [CVE-2014-0114](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114) > Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. the version commons-beanutils 1.9.2 in turn has a CVE in its dependency commons-collections ([CVE-2015-6420](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6420), see [BEANUTILS-488](https://issues.apache.org/jira/browse/BEANUTILS-488)), which is fixed in 1.9.3. We should upgrade commons-beanutils from 1.8.3 to 1.9.3. ## Does this pull request potentially affect one of the following parts: - Dependencies (does it add or upgrade a dependency): (**yes** / no) - The public API, i.e., is any changed class annotated with `@Public(Evolving)`: (yes / **no**) - The serializers: (yes / **no** / don't know) - The runtime per-record code paths (performance sensitive): (yes / **no** / don't know) - Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Yarn/Mesos, ZooKeeper: (yes / **no** / don't know) - The S3 file system connector: (yes / **no** / don't know) ## Documentation - Does this pull request introduce a new feature? (yes / **no**) - If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented) You can merge this pull request into a Git repository by running: $ git pull https://github.com/yew1eb/flink FLINK-8156 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/flink/pull/5113.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #5113 commit 5c188bc440eed0d50654709a929633a73e35cb56 Author: yew1ebDate: 2017-12-03T10:49:22Z [FLINK-8156][build] Bump commons-beanutils version to 1.9.3 > Bump commons-beanutils version to 1.9.3 > --- > > Key: FLINK-8156 > URL: https://issues.apache.org/jira/browse/FLINK-8156 > Project: Flink > Issue Type: Bug > Components: Build System >Affects Versions: 1.4.0 >Reporter: Hai Zhou UTC+8 >Assignee: Hai Zhou UTC+8 > Fix For: 1.5.0 > > > Commons-beanutils v1.8.0 dependency is not security compliant. See > [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]: > {code:java} > Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar > in Apache Struts 1.x through 1.3.10 and in other products requiring > commons-beanutils through 1.9.2, does not suppress the class property, which > allows remote attackers to "manipulate" the ClassLoader and execute arbitrary > code via the class parameter, as demonstrated by the passing of this > parameter to the getClass method of the ActionForm object in Struts 1. > {code} > Note that current version commons-beanutils 1.9.2 in turn has a CVE in its > dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is > fixed in 1.9.3. > We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 -- This message was sent by Atlassian JIRA (v6.4.14#64029)