beam-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Work logged] (BEAM-3873) Current version of commons-compress is DOS vulnerable CVE-2018-1324
Date Wed, 21 Mar 2018 21:45:00 GMT

     [ https://issues.apache.org/jira/browse/BEAM-3873?focusedWorklogId=82941&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-82941
]

ASF GitHub Bot logged work on BEAM-3873:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 21/Mar/18 21:44
            Start Date: 21/Mar/18 21:44
    Worklog Time Spent: 10m 
      Work Description: lukecwik closed pull request #4889: [BEAM-3873] Current version of
commons-compress is DOS vulnerable CVE-2018-1324
URL: https://github.com/apache/beam/pull/4889
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/build.gradle b/build.gradle
index a2b77c1d630..4bdba0e275e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -67,7 +67,7 @@ ext.library = [
     bigtable_client_core: "com.google.cloud.bigtable:bigtable-client-core:$bigtable_version",
     bigtable_protos: "com.google.cloud.bigtable:bigtable-protos:$bigtable_proto_version",
     byte_buddy: "net.bytebuddy:byte-buddy:1.7.10",
-    commons_compress: "org.apache.commons:commons-compress:1.14",
+    commons_compress: "org.apache.commons:commons-compress:1.16.1",
     commons_csv: "org.apache.commons:commons-csv:1.4",
     commons_io_1x: "commons-io:commons-io:1.3.2",
     commons_io_2x: "commons-io:commons-io:2.5",
@@ -156,7 +156,7 @@ ext.library = [
     maven_exec_plugin: "maven-plugins:maven-exec-plugin:1.6.0",
     maven_jar_plugin: "maven-plugins:maven-jar-plugin:3.0.2",
     maven_shade_plugin: "maven-plugins:maven-shade-plugin:3.1.0",
-    maven_surefire_plugin: "maven-plugins:maven-surefire-plugin:2.20.1",
+    maven_surefire_plugin: "maven-plugins:maven-surefire-plugin:2.21.0",
   ],
 ]
 
diff --git a/pom.xml b/pom.xml
index 9573a07767f..1f8545a5fe0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -102,7 +102,7 @@
     <beamSurefireArgline />
 
     <!-- If updating dependencies, please update any relevant javadoc offlineLinks -->
-    <apache.commons.compress.version>1.14</apache.commons.compress.version>
+    <apache.commons.compress.version>1.16.1</apache.commons.compress.version>
     <apache.commons.lang.version>3.6</apache.commons.lang.version>
     <apache.commons.text.version>1.1</apache.commons.text.version>
     <apex.kryo.version>2.24.0</apex.kryo.version>
@@ -163,8 +163,8 @@
     <os-maven-plugin.version>1.5.0.Final</os-maven-plugin.version>
     <groovy-maven-plugin.version>2.0</groovy-maven-plugin.version>
     <license-maven-plugin.version>1.14</license-maven-plugin.version>
-    <maven-surefire-plugin.version>2.20.1</maven-surefire-plugin.version>
-    <maven-failsafe-plugin.version>2.20.1</maven-failsafe-plugin.version>
+    <maven-surefire-plugin.version>2.21.0</maven-surefire-plugin.version>
+    <maven-failsafe-plugin.version>2.21.0</maven-failsafe-plugin.version>
     <maven-compiler-plugin.version>3.7.0</maven-compiler-plugin.version>
     <maven-dependency-plugin.version>3.0.2</maven-dependency-plugin.version>
     <maven-enforcer-plugin.version>3.0.0-M1</maven-enforcer-plugin.version>
@@ -1442,13 +1442,6 @@
         <scope>test</scope>
       </dependency>
 
-      <dependency>
-        <groupId>junit</groupId>
-        <artifactId>junit</artifactId>
-        <version>${junit.version}</version>
-        <scope>test</scope>
-      </dependency>
-
       <dependency>
         <groupId>org.slf4j</groupId>
         <artifactId>slf4j-jdk14</artifactId>
@@ -1456,13 +1449,6 @@
         <scope>test</scope>
       </dependency>
 
-      <dependency>
-        <groupId>com.google.guava</groupId>
-        <artifactId>guava-testlib</artifactId>
-        <version>${guava.version}</version>
-        <scope>test</scope>
-      </dependency>
-
       <dependency>
         <groupId>org.mockito</groupId>
         <artifactId>mockito-core</artifactId>
diff --git a/runners/java-fn-execution/pom.xml b/runners/java-fn-execution/pom.xml
index e7739591d51..dd82908a2f6 100644
--- a/runners/java-fn-execution/pom.xml
+++ b/runners/java-fn-execution/pom.xml
@@ -63,11 +63,6 @@
       <artifactId>beam-sdks-java-core</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.apache.beam</groupId>
-      <artifactId>beam-runners-core-construction-java</artifactId>
-    </dependency>
-
     <dependency>
       <groupId>io.grpc</groupId>
       <artifactId>grpc-core</artifactId>
diff --git a/sdks/java/io/google-cloud-platform/src/main/java/org/apache/beam/sdk/io/gcp/testing/package-info.java
b/sdks/java/io/google-cloud-platform/src/test/java/org/apache/beam/sdk/io/gcp/testing/package-info.java
similarity index 100%
rename from sdks/java/io/google-cloud-platform/src/main/java/org/apache/beam/sdk/io/gcp/testing/package-info.java
rename to sdks/java/io/google-cloud-platform/src/test/java/org/apache/beam/sdk/io/gcp/testing/package-info.java


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 82941)
    Time Spent: 2h 50m  (was: 2h 40m)

> Current version of commons-compress is DOS vulnerable CVE-2018-1324
> -------------------------------------------------------------------
>
>                 Key: BEAM-3873
>                 URL: https://issues.apache.org/jira/browse/BEAM-3873
>             Project: Beam
>          Issue Type: Bug
>          Components: build-system, sdk-java-core
>    Affects Versions: 2.3.0, 2.4.0
>            Reporter: Ismaël Mejía
>            Assignee: Ismaël Mejía
>            Priority: Major
>          Time Spent: 2h 50m
>  Remaining Estimate: 0h
>
> The commons-compress version of the library used by Beam has a security vulnerability.
For more details see [CVE-2018-1324|https://www.cvedetails.com/cve/CVE-2018-1324/]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message