[jira] [Commented] (HADOOP-18492) upgrade commons-text to 1.10.0

[ https://issues.apache.org/jira/browse/HADOOP-18492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17616477#comment-17616477 ] PJ Fanning commented on HADOOP-18492: - [~groot] I already have

[jira] [Updated] (HADOOP-18492) upgrade commons-text to 1.10.0

[ https://issues.apache.org/jira/browse/HADOOP-18492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] PJ Fanning updated HADOOP-18492: Description: Extends HADOOP-18341

[jira] [Updated] (HADOOP-18492) upgrade commons-text to 1.10.0

[ https://issues.apache.org/jira/browse/HADOOP-18492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] PJ Fanning updated HADOOP-18492: Description: Extends HADOOP-18341

[jira] [Created] (HADOOP-18493) uptake jackson-databind 2.12.7.1 due to CVE fixes

PJ Fanning created HADOOP-18493: --- Summary: uptake jackson-databind 2.12.7.1 due to CVE fixes Key: HADOOP-18493 URL: https://issues.apache.org/jira/browse/HADOOP-18493 Project: Hadoop Common

[jira] [Created] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

PJ Fanning created HADOOP-18496: --- Summary: upgrade kotlin-stdlib due to CVEs Key: HADOOP-18496 URL: https://issues.apache.org/jira/browse/HADOOP-18496 Project: Hadoop Common Issue Type:

[jira] [Created] (HADOOP-18484) upgrade hsqldb to v2.7.1 due to CVE

PJ Fanning created HADOOP-18484: --- Summary: upgrade hsqldb to v2.7.1 due to CVE Key: HADOOP-18484 URL: https://issues.apache.org/jira/browse/HADOOP-18484 Project: Hadoop Common Issue Type:

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17617623#comment-17617623 ] PJ Fanning commented on HADOOP-18496: - [~ste...@apache.org] looks like the kotlin dependencies were

[jira] [Commented] (HADOOP-18575) Make XML transformer factory more lenient

[ https://issues.apache.org/jira/browse/HADOOP-18575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17651383#comment-17651383 ] PJ Fanning commented on HADOOP-18575: - [~ste...@apache.org] in terms of performance concerns, would

[jira] [Commented] (HADOOP-18575) Make XML transformer factory more lenient

[ https://issues.apache.org/jira/browse/HADOOP-18575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17651325#comment-17651325 ] PJ Fanning commented on HADOOP-18575: - I guess that could be done. I might have time tonight to do

[jira] [Commented] (HADOOP-18342) Upgrade to Avro 1.11.1

[ https://issues.apache.org/jira/browse/HADOOP-18342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17652406#comment-17652406 ] PJ Fanning commented on HADOOP-18342: - The hadoop-thirdparty jar has not been released to Maven

[jira] [Updated] (HADOOP-18587) upgrade to jettison 1.5.2 due to security issue

[ https://issues.apache.org/jira/browse/HADOOP-18587?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] PJ Fanning updated HADOOP-18587: Description: [https://github.com/advisories/GHSA-x27m-9w8j-5vcw]  

[jira] [Created] (HADOOP-18587) upgrade to jettison 1.5.2 due to security issue

PJ Fanning created HADOOP-18587: --- Summary: upgrade to jettison 1.5.2 due to security issue Key: HADOOP-18587 URL: https://issues.apache.org/jira/browse/HADOOP-18587 Project: Hadoop Common

[jira] [Created] (HADOOP-18575) make transformer factory creation more lenient

PJ Fanning created HADOOP-18575: --- Summary: make transformer factory creation more lenient Key: HADOOP-18575 URL: https://issues.apache.org/jira/browse/HADOOP-18575 Project: Hadoop Common Issue

[jira] [Commented] (HADOOP-18469) Add XMLUtils methods to centralise code that creates secure XML parsers

[ https://issues.apache.org/jira/browse/HADOOP-18469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17647565#comment-17647565 ] PJ Fanning commented on HADOOP-18469: - In Apache POI, they use a best effort approach with setting

[jira] [Commented] (HADOOP-18469) Add XMLUtils methods to centralise code that creates secure XML parsers

[ https://issues.apache.org/jira/browse/HADOOP-18469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17647590#comment-17647590 ] PJ Fanning commented on HADOOP-18469: - I raised [https://github.com/apache/hadoop/pull/5224] - I

[jira] [Commented] (HADOOP-18575) make transformer factory creation more lenient

[ https://issues.apache.org/jira/browse/HADOOP-18575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17647667#comment-17647667 ] PJ Fanning commented on HADOOP-18575: - https://github.com/apache/hadoop/pull/5224 > make

[jira] [Commented] (HADOOP-17563) Update Bouncy Castle to 1.68 or later

[ https://issues.apache.org/jira/browse/HADOOP-17563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17643063#comment-17643063 ] PJ Fanning commented on HADOOP-17563: - This class is in bcprov-jdk15on-1.60.jar and 

[jira] [Commented] (HADOOP-18587) upgrade to jettison 1.5.3 due to security issue

[ https://issues.apache.org/jira/browse/HADOOP-18587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17677381#comment-17677381 ] PJ Fanning commented on HADOOP-18587: - Would be nice to get it into 3.3.5 rc but if you are in the

[jira] [Created] (HADOOP-18658) snakeyaml dependency: upgrade to v2.0

PJ Fanning created HADOOP-18658: --- Summary: snakeyaml dependency: upgrade to v2.0 Key: HADOOP-18658 URL: https://issues.apache.org/jira/browse/HADOOP-18658 Project: Hadoop Common Issue Type:

[jira] [Resolved] (HADOOP-18719) upgrade snakeyaml to 2.0 (fixes CVE-2022-1471)

[ https://issues.apache.org/jira/browse/HADOOP-18719?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] PJ Fanning resolved HADOOP-18719. - Resolution: Duplicate > upgrade snakeyaml to 2.0 (fixes CVE-2022-1471) >

[jira] [Created] (HADOOP-18719) upgrade snakeyaml to 2.0 (fixes CVE-2022-1471)

PJ Fanning created HADOOP-18719: --- Summary: upgrade snakeyaml to 2.0 (fixes CVE-2022-1471) Key: HADOOP-18719 URL: https://issues.apache.org/jira/browse/HADOOP-18719 Project: Hadoop Common Issue

[jira] [Created] (HADOOP-18711) upgrade nimbus jwt jar due to issues in its embedded shaded json-smart code

PJ Fanning created HADOOP-18711: --- Summary: upgrade nimbus jwt jar due to issues in its embedded shaded json-smart code Key: HADOOP-18711 URL: https://issues.apache.org/jira/browse/HADOOP-18711 Project:

[jira] [Created] (HADOOP-18712) upgrade to jetty 9.4.51 due to cve

PJ Fanning created HADOOP-18712: --- Summary: upgrade to jetty 9.4.51 due to cve Key: HADOOP-18712 URL: https://issues.apache.org/jira/browse/HADOOP-18712 Project: Hadoop Common Issue Type: Task

[jira] [Updated] (HADOOP-18693) upgrade Apache Derby due to CVEs

[ https://issues.apache.org/jira/browse/HADOOP-18693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] PJ Fanning updated HADOOP-18693: Description: [https://github.com/advisories/GHSA-wr69-g62g-2r9h]

[jira] [Created] (HADOOP-18693) upgrade Apache Derby due to CVEs

PJ Fanning created HADOOP-18693: --- Summary: upgrade Apache Derby due to CVEs Key: HADOOP-18693 URL: https://issues.apache.org/jira/browse/HADOOP-18693 Project: Hadoop Common Issue Type: Task

[jira] [Updated] (HADOOP-18693) upgrade Apache Derby due to CVEs

[ https://issues.apache.org/jira/browse/HADOOP-18693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] PJ Fanning updated HADOOP-18693: Description: [https://github.com/advisories/GHSA-wr69-g62g-2r9h]

[jira] [Created] (HADOOP-18619) replace jsr311-api dependency with rs-api

PJ Fanning created HADOOP-18619: --- Summary: replace jsr311-api dependency with rs-api Key: HADOOP-18619 URL: https://issues.apache.org/jira/browse/HADOOP-18619 Project: Hadoop Common Issue

[jira] [Commented] (HADOOP-18619) replace jsr311-api dependency with rs-api

[ https://issues.apache.org/jira/browse/HADOOP-18619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17685255#comment-17685255 ] PJ Fanning commented on HADOOP-18619: - When 3.3.5 is released, jersey-json dependency will be

[jira] [Commented] (HADOOP-18619) replace jsr311-api dependency with rs-api

[ https://issues.apache.org/jira/browse/HADOOP-18619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17687023#comment-17687023 ] PJ Fanning commented on HADOOP-18619: - I haven't tried playing with jersey-core too much yet. I

[jira] [Comment Edited] (HADOOP-18619) replace jsr311-api dependency with rs-api

[ https://issues.apache.org/jira/browse/HADOOP-18619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17687023#comment-17687023 ] PJ Fanning edited comment on HADOOP-18619 at 2/10/23 10:51 AM: --- I haven't

[jira] [Commented] (HADOOP-18619) replace jsr311-api dependency with rs-api

[ https://issues.apache.org/jira/browse/HADOOP-18619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17687104#comment-17687104 ] PJ Fanning commented on HADOOP-18619: - I had a quick look and getting jersey-core to work with

[jira] [Comment Edited] (HADOOP-18619) replace jsr311-api dependency with rs-api

[ https://issues.apache.org/jira/browse/HADOOP-18619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17687104#comment-17687104 ] PJ Fanning edited comment on HADOOP-18619 at 2/10/23 2:54 PM: -- I had a

[jira] [Comment Edited] (HADOOP-18619) replace jsr311-api dependency with rs-api

[ https://issues.apache.org/jira/browse/HADOOP-18619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17687104#comment-17687104 ] PJ Fanning edited comment on HADOOP-18619 at 2/10/23 5:40 PM: -- I had a

[jira] [Commented] (HADOOP-18033) Upgrade fasterxml Jackson to 2.13.0

[ https://issues.apache.org/jira/browse/HADOOP-18033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17731654#comment-17731654 ] PJ Fanning commented on HADOOP-18033: - We're stuck on Jackson 2.12 because of jersey v1. Jackson

[jira] [Comment Edited] (HADOOP-18033) Upgrade fasterxml Jackson to 2.13.0

[ https://issues.apache.org/jira/browse/HADOOP-18033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17731654#comment-17731654 ] PJ Fanning edited comment on HADOOP-18033 at 6/12/23 3:14 PM: -- We're stuck

[jira] [Created] (HADOOP-18783) upgrade netty to 4.1.94 due to CVE

PJ Fanning created HADOOP-18783: --- Summary: upgrade netty to 4.1.94 due to CVE Key: HADOOP-18783 URL: https://issues.apache.org/jira/browse/HADOOP-18783 Project: Hadoop Common Issue Type: Task

[jira] [Created] (HADOOP-18782) upgrade to snappy-java 1.1.10.1 due to CVEs

PJ Fanning created HADOOP-18782: --- Summary: upgrade to snappy-java 1.1.10.1 due to CVEs Key: HADOOP-18782 URL: https://issues.apache.org/jira/browse/HADOOP-18782 Project: Hadoop Common Issue

[jira] [Commented] (HADOOP-15984) Update jersey from 1.19 to 2.x

[ https://issues.apache.org/jira/browse/HADOOP-15984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17817480#comment-17817480 ] PJ Fanning commented on HADOOP-15984: - the jersey dependencies should only be exposed on the small

[jira] [Commented] (HADOOP-15984) Update jersey from 1.19 to 2.x

[ https://issues.apache.org/jira/browse/HADOOP-15984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17817492#comment-17817492 ] PJ Fanning commented on HADOOP-15984: - I don't understand why, for instance, hadoop-common exposes

[jira] [Commented] (HADOOP-15984) Update jersey from 1.19 to 2.x

[ https://issues.apache.org/jira/browse/HADOOP-15984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17817496#comment-17817496 ] PJ Fanning commented on HADOOP-15984: - It does look like we have some client side Jersey code too.

[jira] [Created] (HADOOP-19076) move jersey code in hadoop-common jar to a new hadoop-jersey1-common jar

PJ Fanning created HADOOP-19076: --- Summary: move jersey code in hadoop-common jar to a new hadoop-jersey1-common jar Key: HADOOP-19076 URL: https://issues.apache.org/jira/browse/HADOOP-19076 Project:

[jira] [Created] (HADOOP-19077) remove use of javax.ws.rs.core.HttpHeaders

PJ Fanning created HADOOP-19077: --- Summary: remove use of javax.ws.rs.core.HttpHeaders Key: HADOOP-19077 URL: https://issues.apache.org/jira/browse/HADOOP-19077 Project: Hadoop Common Issue

[jira] [Commented] (HADOOP-19076) move jersey code in hadoop-common jar to a new hadoop-jersey1-common jar

[ https://issues.apache.org/jira/browse/HADOOP-19076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17817696#comment-17817696 ] PJ Fanning commented on HADOOP-19076: - Thanks [~slfan1989] for the background on Jersey 3. What do

[jira] [Updated] (HADOOP-19076) move jersey code in hadoop-common jar to a new hadoop-jersey1-common jar

[ https://issues.apache.org/jira/browse/HADOOP-19076?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] PJ Fanning updated HADOOP-19076: Description: Hadoop's Jersey dependencies are causing us real trouble. I'm wondering if it

[jira] [Commented] (HADOOP-19076) move jersey code in hadoop-common jar to a new hadoop-jersey1-common jar

[ https://issues.apache.org/jira/browse/HADOOP-19076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17817730#comment-17817730 ] PJ Fanning commented on HADOOP-19076: - Thanks [~ste...@apache.org], the idea would be to have 1 jar

[jira] [Created] (HADOOP-19078) reduce use of javax.ws.rs.core.MediaType

PJ Fanning created HADOOP-19078: --- Summary: reduce use of javax.ws.rs.core.MediaType Key: HADOOP-19078 URL: https://issues.apache.org/jira/browse/HADOOP-19078 Project: Hadoop Common Issue Type:

[jira] [Commented] (HADOOP-15984) Update jersey from 1.19 to 2.x

[ https://issues.apache.org/jira/browse/HADOOP-15984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17816897#comment-17816897 ] PJ Fanning commented on HADOOP-15984: - Jersey 1 uses jsr311 jar and Jersey2 uses rs-api jar. These

[jira] [Updated] (HADOOP-19081) move ssh/sftp code out of hadoop-common into a dedicated jar

[ https://issues.apache.org/jira/browse/HADOOP-19081?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] PJ Fanning updated HADOOP-19081: Description: We could call it hadoop-ssh-common. This code is only used in 1 or 2 other places

[jira] [Created] (HADOOP-19081) move ssh/sftp code out of hadoop-common into a dedicated jar

PJ Fanning created HADOOP-19081: --- Summary: move ssh/sftp code out of hadoop-common into a dedicated jar Key: HADOOP-19081 URL: https://issues.apache.org/jira/browse/HADOOP-19081 Project: Hadoop Common

[jira] [Updated] (HADOOP-19079) check that class that is loaded is really an exception

[ https://issues.apache.org/jira/browse/HADOOP-19079?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] PJ Fanning updated HADOOP-19079: Description: It can be dangerous taking class names as inputs from HTTP messages even if we

[jira] [Created] (HADOOP-19079) check that class that is loaded is really an exception

PJ Fanning created HADOOP-19079: --- Summary: check that class that is loaded is really an exception Key: HADOOP-19079 URL: https://issues.apache.org/jira/browse/HADOOP-19079 Project: Hadoop Common

[jira] [Created] (HADOOP-19024) change to bouncy castle jdk1.8 jars

PJ Fanning created HADOOP-19024: --- Summary: change to bouncy castle jdk1.8 jars Key: HADOOP-19024 URL: https://issues.apache.org/jira/browse/HADOOP-19024 Project: Hadoop Common Issue Type: Task

[jira] [Created] (HADOOP-19041) further use of StandardCharsets

PJ Fanning created HADOOP-19041: --- Summary: further use of StandardCharsets Key: HADOOP-19041 URL: https://issues.apache.org/jira/browse/HADOOP-19041 Project: Hadoop Common Issue Type: Task

[jira] [Commented] (HADOOP-18895) upgrade to commons-compress 1.24.0 due to CVE

[ https://issues.apache.org/jira/browse/HADOOP-18895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17807140#comment-17807140 ] PJ Fanning commented on HADOOP-18895: - [~slfan1989] this was not reverted - it is still fixed in

[jira] [Created] (HADOOP-19014) use jsr311-compat jar to allow us to use Jackson 2.14.3

PJ Fanning created HADOOP-19014: --- Summary: use jsr311-compat jar to allow us to use Jackson 2.14.3 Key: HADOOP-19014 URL: https://issues.apache.org/jira/browse/HADOOP-19014 Project: Hadoop Common

[jira] [Created] (HADOOP-19154) upgrade bouncy castle to 1.78.1 due to CVEs

PJ Fanning created HADOOP-19154: --- Summary: upgrade bouncy castle to 1.78.1 due to CVEs Key: HADOOP-19154 URL: https://issues.apache.org/jira/browse/HADOOP-19154 Project: Hadoop Common Issue

[jira] [Created] (HADOOP-19114) upgrade to commons-compress 1.26.1 due to cves

PJ Fanning created HADOOP-19114: --- Summary: upgrade to commons-compress 1.26.1 due to cves Key: HADOOP-19114 URL: https://issues.apache.org/jira/browse/HADOOP-19114 Project: Hadoop Common Issue

[jira] [Created] (HADOOP-19116) update to zookeeper client 3.8.4 due to CVE

PJ Fanning created HADOOP-19116: --- Summary: update to zookeeper client 3.8.4 due to CVE Key: HADOOP-19116 URL: https://issues.apache.org/jira/browse/HADOOP-19116 Project: Hadoop Common Issue

[jira] [Created] (HADOOP-19115) upgrade to nimbus-jose-jwt 9.37.2 due to CVE

PJ Fanning created HADOOP-19115: --- Summary: upgrade to nimbus-jose-jwt 9.37.2 due to CVE Key: HADOOP-19115 URL: https://issues.apache.org/jira/browse/HADOOP-19115 Project: Hadoop Common Issue

[jira] [Commented] (HADOOP-19116) update to zookeeper client 3.8.4 due to CVE-2024-23944

[ https://issues.apache.org/jira/browse/HADOOP-19116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17830731#comment-17830731 ] PJ Fanning commented on HADOOP-19116: - [~ste...@apache.org] I created

[jira] [Created] (HADOOP-19134) use StringBuilder instead of StringBuffer

PJ Fanning created HADOOP-19134: --- Summary: use StringBuilder instead of StringBuffer Key: HADOOP-19134 URL: https://issues.apache.org/jira/browse/HADOOP-19134 Project: Hadoop Common Issue

[jira] [Created] (HADOOP-19123) update commons-configuration2 to 2.10.1 due to CVE

PJ Fanning created HADOOP-19123: --- Summary: update commons-configuration2 to 2.10.1 due to CVE Key: HADOOP-19123 URL: https://issues.apache.org/jira/browse/HADOOP-19123 Project: Hadoop Common

[jira] [Created] (HADOOP-19088) upgrade to jersey-json 1.22.0

PJ Fanning created HADOOP-19088: --- Summary: upgrade to jersey-json 1.22.0 Key: HADOOP-19088 URL: https://issues.apache.org/jira/browse/HADOOP-19088 Project: Hadoop Common Issue Type: Bug

[jira] [Created] (HADOOP-19090) Update Protocol Buffers installation to 3.23.4

PJ Fanning created HADOOP-19090: --- Summary: Update Protocol Buffers installation to 3.23.4 Key: HADOOP-19090 URL: https://issues.apache.org/jira/browse/HADOOP-19090 Project: Hadoop Common Issue

[jira] [Commented] (HADOOP-18197) Update protobuf 3.7.1 to a version without CVE-2021-22569

[ https://issues.apache.org/jira/browse/HADOOP-18197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821186#comment-17821186 ] PJ Fanning commented on HADOOP-18197: - I have https://github.com/apache/hadoop-thirdparty/pull/34

[jira] [Commented] (HADOOP-19090) Update Protocol Buffers installation to 3.23.4

[ https://issues.apache.org/jira/browse/HADOOP-19090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17822242#comment-17822242 ] PJ Fanning commented on HADOOP-19090: - I think we'll need a new release to avoid that bytebuffer

[jira] [Commented] (HADOOP-18197) Update protobuf 3.7.1 to a version without CVE-2021-22569

[ https://issues.apache.org/jira/browse/HADOOP-18197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17820707#comment-17820707 ] PJ Fanning commented on HADOOP-18197: - The fix only seems to be in protobuf-java 3.23 and above -

<    1   2