ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan Rakov <ivan.glu...@gmail.com>
Subject Re: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
Date Thu, 09 Jan 2020 13:38:15 GMT
Maxim M. and anyone who is interested,

I suggest to include this fix to 2.8 release:
https://issues.apache.org/jira/browse/IGNITE-12225
Basically, it's a result of the following discussion:
http://apache-ignite-developers.2346864.n4.nabble.com/DISCUSSION-Single-point-in-API-for-changing-cluster-state-td43665.html

The fix affects public API: IgniteCluster#readOnly methods that work with
boolean are replaced with ones that work with enum.
If we include it, we won't be obliged to keep deprecated boolean version of
API in the code (which is currently present in 2.8 branch) as it wasn't
published in any release.

On Tue, Dec 31, 2019 at 3:54 PM Ilya Kasnacheev <ilya.kasnacheev@gmail.com>
wrote:

> Hello!
>
> I have ran dependency checker plugin and quote the following:
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-urideploy:
> One or more dependencies were identified with known vulnerabilities in
> ignite-spring:
> One or more dependencies were identified with known vulnerabilities in
> ignite-spring-data:
> One or more dependencies were identified with known vulnerabilities in
> ignite-aop:
> One or more dependencies were identified with known vulnerabilities in
> ignite-visor-console:
>
> spring-core-4.3.18.RELEASE.jar
> (pkg:maven/org.springframework/spring-core@4.3.18.RELEASE,
> cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*) :
> CVE-2018-15756
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-spring-data_2.0:
>
> spring-core-5.0.8.RELEASE.jar
> (pkg:maven/org.springframework/spring-core@5.0.8.RELEASE,
> cpe:2.3:a:pivotal_software:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> cpe:2.3:a:springsource:spring_framework:5.0.8.release:*:*:*:*:*:*:*,
> cpe:2.3:a:vmware:springsource_spring_framework:5.0.8:*:*:*:*:*:*:*) :
> CVE-2018-15756
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-rest-http:
>
> jetty-server-9.4.11.v20180605.jar
> (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> jackson-databind-2.9.6.jar
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-kubernetes:
> One or more dependencies were identified with known vulnerabilities in
> ignite-aws:
>
> jackson-databind-2.9.6.jar
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
> bcprov-ext-jdk15on-1.54.jar
> (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.54) : CVE-2015-6644,
> CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341,
> CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345,
> CVE-2016-1000346, CVE-2016-1000352, CVE-2016-2427, CVE-2017-13098,
> CVE-2018-1000180, CVE-2018-1000613
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-gce:
>
> httpclient-4.0.1.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.0.1
> ,
> cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*) : CVE-2011-1498,
> CVE-2014-3577, CVE-2015-5262
> guava-jdk5-17.0.jar (pkg:maven/com.google.guava/guava-jdk5@17.0,
> cpe:2.3:a:google:guava:17.0:*:*:*:*:*:*:*) : CVE-2018-10237
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-cloud:
>
> openstack-keystone-2.0.0.jar
> (pkg:maven/org.apache.jclouds.api/openstack-keystone@2.0.0,
> cpe:2.3:a:openstack:keystone:2.0.0:*:*:*:*:*:*:*,
> cpe:2.3:a:openstack:openstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2014,
> CVE-2013-4222, CVE-2013-6391, CVE-2014-0204, CVE-2014-3476, CVE-2014-3520,
> CVE-2014-3621, CVE-2015-3646, CVE-2015-7546, CVE-2018-14432, CVE-2018-20170
> cloudstack-2.0.0.jar (pkg:maven/org.apache.jclouds.api/cloudstack@2.0.0,
> cpe:2.3:a:apache:cloudstack:2.0.0:*:*:*:*:*:*:*) : CVE-2013-2136,
> CVE-2013-6398, CVE-2014-0031, CVE-2014-9593, CVE-2015-3252
> docker-2.0.0.jar (pkg:maven/org.apache.jclouds.api/docker@2.0.0,
> cpe:2.3:a:docker:docker:2.0.0:*:*:*:*:*:*:*) : CVE-2018-10892,
> CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, CVE-2019-16884,
> CVE-2019-5736
> guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> docker-1.9.3.jar (pkg:maven/org.apache.jclouds.labs/docker@1.9.3,
> cpe:2.3:a:docker:docker:1.9.3:*:*:*:*:*:*:*) : CVE-2016-3697,
> CVE-2017-14992, CVE-2019-13139, CVE-2019-13509, CVE-2019-15752,
> CVE-2019-16884, CVE-2019-5736
> jsch.agentproxy.core-0.0.8.jar
> (pkg:maven/com.jcraft/jsch.agentproxy.core@0.0.8,
> cpe:2.3:a:jcraft:jsch:0.0.8:*:*:*:*:*:*:*) : CVE-2016-5725
> bcprov-ext-jdk15on-1.49.jar
> (pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.49) : CVE-2015-6644,
> CVE-2015-7940, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000341,
> CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345,
> CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000613
> okhttp-2.2.0.jar (pkg:maven/com.squareup.okhttp/okhttp@2.2.0,
> cpe:2.3:a:squareup:okhttp:2.2.0:*:*:*:*:*:*:*) : CVE-2016-2402
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-mesos:
>
> mesos-1.5.0.jar (pkg:maven/org.apache.mesos/mesos@1.5.0,
> cpe:2.3:a:apache:mesos:1.5.0:*:*:*:*:*:*:*) : CVE-2018-11793,
> CVE-2018-1330, CVE-2018-8023, CVE-2019-0204, CVE-2019-5736
> jetty-server-9.4.11.v20180605.jar
> (pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605,
> cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:9.4.11.v20180605:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:9.4.11:20180605:*:*:*:*:*:*) :
> CVE-2018-12545, CVE-2019-10241, CVE-2019-10247
> jackson-databind-2.9.6.jar
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6,
> cpe:2.3:a:fasterxml:jackson:2.9.6:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.9.6:*:*:*:*:*:*:*) :
> CVE-2018-1000873, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720,
> CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362,
> CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
> CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
> CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-kafka:
>
> kafka-clients-2.0.1.jar (pkg:maven/org.apache.kafka/kafka-clients@2.0.1,
> cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
> connect-api-2.0.1.jar (pkg:maven/org.apache.kafka/connect-api@2.0.1,
> cpe:2.3:a:apache:kafka:2.0.1:*:*:*:*:*:*:*) : CVE-2018-17196
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-flume:
>
> guava-11.0.2.jar (pkg:maven/com.google.guava/guava@11.0.2,
> cpe:2.3:a:google:guava:11.0.2:*:*:*:*:*:*:*) : CVE-2018-10237
> jackson-core-asl-1.8.8.jar
> (pkg:maven/org.codehaus.jackson/jackson-core-asl@1.8.8,
> cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*) : CVE-2017-15095,
> CVE-2017-17485, CVE-2017-7525
> jackson-mapper-asl-1.8.8.jar
> (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.8.8,
> cpe:2.3:a:fasterxml:jackson:1.8.8:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:*) :
> CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-14540,
> CVE-2019-16335, CVE-2019-17267
> commons-collections-3.2.1.jar
> (pkg:maven/commons-collections/commons-collections@3.2.1,
> cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) : CVE-2015-6420,
> CVE-2017-15708, Remote code execution
> netty-3.9.4.Final.jar (pkg:maven/io.netty/netty@3.9.4.Final,
> cpe:2.3:a:netty:netty:3.9.4:*:*:*:*:*:*:*) : CVE-2015-2156, CVE-2019-16869,
> POODLE vulnerability in SSLv3.0 support
> servlet-api-2.5-20110124.jar
> (pkg:maven/org.mortbay.jetty/servlet-api@2.5-20110124,
> cpe:2.3:a:jetty:jetty:2.5.20110124:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay:jetty:2.5.20110124:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:2.5.20110124:*:*:*:*:*:*:*) : CVE-2005-3747,
> CVE-2007-5615, CVE-2009-1523, CVE-2009-1524, CVE-2009-5048, CVE-2009-5049,
> CVE-2011-4461
> jetty-util-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty-util@6.1.26,
> cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> CVE-2011-4461
> jetty-6.1.26.jar (pkg:maven/org.mortbay.jetty/jetty@6.1.26,
> cpe:2.3:a:jetty:jetty:6.1.26:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay:jetty:6.1.26:*:*:*:*:*:*:*,
> cpe:2.3:a:mortbay_jetty:jetty:6.1.26:*:*:*:*:*:*:*) : CVE-2009-1523,
> CVE-2011-4461, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735,
> CVE-2019-10241, CVE-2019-10247
> libthrift-0.9.0.jar (pkg:maven/org.apache.thrift/libthrift@0.9.0) :
> CVE-2015-3254, CVE-2016-5397, CVE-2018-1320, CVE-2019-0205
> httpclient-4.1.3.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.1.3
> ,
> cpe:2.3:a:apache:httpclient:4.1.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> CVE-2015-5262
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-twitter:
>
> httpclient-4.2.5.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.2.5
> ,
> cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577,
> CVE-2015-5262
> guava-14.0.1.jar (pkg:maven/com.google.guava/guava@14.0.1,
> cpe:2.3:a:google:guava:14.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-zookeeper:
>
> jackson-databind-2.9.8.jar
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8,
> cpe:2.3:a:fasterxml:jackson:2.9.8:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.9.8:*:*:*:*:*:*:*) : CVE-2019-12086,
> CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> CVE-2019-17267, CVE-2019-17531
> guava-16.0.1.jar (pkg:maven/com.google.guava/guava@16.0.1,
> cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> jackson-mapper-asl-1.9.13.jar
> (pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13,
> cpe:2.3:a:fasterxml:jackson:1.9.13:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*) :
> CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873,
> CVE-2018-14718, CVE-2018-5968, CVE-2018-7489, CVE-2019-10172,
> CVE-2019-14540, CVE-2019-16335, CVE-2019-17267
> netty-all-4.1.29.Final.jar (pkg:maven/io.netty/netty-all@4.1.29.Final,
> cpe:2.3:a:netty:netty:4.1.29:*:*:*:*:*:*:*) : CVE-2019-16869
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-camel:
>
> camel-core-2.22.0.jar (pkg:maven/org.apache.camel/camel-core@2.22.0,
> cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> CVE-2019-0188, CVE-2019-0194
>
> camel-core-2.22.0.jar/META-INF/maven/org.apache.camel/spi-annotations/pom.xml
> (pkg:maven/org.apache.camel/spi-annotations@2.22.0,
> cpe:2.3:a:apache:camel:2.22.0:*:*:*:*:*:*:*) : CVE-2018-8041,
> CVE-2019-0188, CVE-2019-0194
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-storm:
>
> storm-core-1.1.1.jar (pkg:maven/org.apache.storm/storm-core@1.1.1,
> cpe:2.3:a:apache:storm:1.1.1:*:*:*:*:*:*:*) : CVE-2018-11779,
> CVE-2018-1331, CVE-2018-1332, CVE-2018-8008, CVE-2019-0202
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
> (pkg:maven/org.eclipse.jetty/jetty-servlet@7.6.13.v20130916,
> cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2019-10247
>
> storm-core-1.1.1.jar/META-INF/maven/org.apache.httpcomponents/httpclient/pom.xml
> (pkg:maven/org.apache.httpcomponents/httpclient@4.3.3,
> cpe:2.3:a:apache:httpclient:4.3.3:*:*:*:*:*:*:*) : CVE-2014-3577,
> CVE-2015-5262
> storm-core-1.1.1.jar/META-INF/maven/com.google.guava/guava/pom.xml
> (pkg:maven/com.google.guava/guava@16.0.1,
> cpe:2.3:a:google:guava:16.0.1:*:*:*:*:*:*:*) : CVE-2018-10237
> storm-core-1.1.1.jar/META-INF/maven/io.netty/netty/pom.xml
> (pkg:maven/io.netty/netty@3.9.0.Final,
> cpe:2.3:a:netty:netty:3.9.0:*:*:*:*:*:*:*) : CVE-2014-0193, CVE-2014-3488,
> CVE-2015-2156, CVE-2019-16869, POODLE vulnerability in SSLv3.0 support
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
> (pkg:maven/org.eclipse.jetty/jetty-server@7.6.13.v20130916,
> cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2011-4461,
> CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2019-10241,
> CVE-2019-10247
> storm-core-1.1.1.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
> (pkg:maven/org.eclipse.jetty/jetty-util@7.6.13.v20130916,
> cpe:2.3:a:eclipse:jetty:7.6.13:20130916:*:*:*:*:*:*,
> cpe:2.3:a:jetty:jetty:7.6.13.v20130916:*:*:*:*:*:*:*) : CVE-2011-4461,
> CVE-2019-10247
>
> storm-core-1.1.1.jar/META-INF/maven/commons-fileupload/commons-fileupload/pom.xml
> (pkg:maven/commons-fileupload/commons-fileupload@1.3.2,
> cpe:2.3:a:apache:commons_fileupload:1.3.2:*:*:*:*:*:*:*) : CVE-2016-1000031
> storm-core-1.1.1.jar/META-INF/maven/org.apache.hadoop/hadoop-auth/pom.xml
> (pkg:maven/org.apache.hadoop/hadoop-auth@2.6.1,
> cpe:2.3:a:apache:hadoop:2.6.1:*:*:*:*:*:*:*) : CVE-2015-1776,
> CVE-2016-3086, CVE-2016-5001, CVE-2016-5393, CVE-2016-6811, CVE-2017-15713,
> CVE-2017-3161, CVE-2017-3162, CVE-2017-3166, CVE-2018-11768, CVE-2018-1296,
> CVE-2018-8009, CVE-2018-8029
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-cassandra-store:
> One or more dependencies were identified with known vulnerabilities in
> ignite-cassandra-serializers:
>
> commons-beanutils-1.9.2.jar
> (pkg:maven/commons-beanutils/commons-beanutils@1.9.2,
> cpe:2.3:a:apache:commons_beanutils:1.9.2:*:*:*:*:*:*:*) : CVE-2019-10086
> commons-collections-3.2.1.jar
> (pkg:maven/commons-collections/commons-collections@3.2.1,
> cpe:2.3:a:apache:commons_collections:3.2.1:*:*:*:*:*:*:*) : CVE-2015-6420,
> CVE-2017-15708, Remote code execution
> spring-core-4.3.18.RELEASE.jar
> (pkg:maven/org.springframework/spring-core@4.3.18.RELEASE,
> cpe:2.3:a:pivotal_software:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> cpe:2.3:a:springsource:spring_framework:4.3.18.release:*:*:*:*:*:*:*,
> cpe:2.3:a:vmware:springsource_spring_framework:4.3.18:*:*:*:*:*:*:*) :
> CVE-2018-15756
> netty-transport-4.1.27.Final.jar
> (pkg:maven/io.netty/netty-transport@4.1.27.Final,
> cpe:2.3:a:netty:netty:4.1.27:*:*:*:*:*:*:*) : CVE-2019-16869
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-flink:
>
> flink-hadoop-fs-1.5.0.jar (pkg:maven/org.apache.flink/flink-hadoop-fs@1.5.0
> ,
> cpe:2.3:a:apache:hadoop:1.5.0:*:*:*:*:*:*:*) : CVE-2016-5001,
> CVE-2017-3161, CVE-2017-3162
>
> flink-shaded-netty-4.0.27.Final-2.0.jar/META-INF/maven/io.netty/netty-all/pom.xml
> (pkg:maven/io.netty/netty-all@4.0.27.Final,
> cpe:2.3:a:netty:netty:4.0.27:*:*:*:*:*:*:*) : CVE-2015-2156, CVE-2016-4970,
> CVE-2019-16869
>
> flink-shaded-jackson-2.7.9-3.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
> (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9,
> cpe:2.3:a:fasterxml:jackson:2.7.9:*:*:*:*:*:*:*,
> cpe:2.3:a:fasterxml:jackson-databind:2.7.9:*:*:*:*:*:*:*) : CVE-2017-15095,
> CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, CVE-2018-11307,
> CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719,
> CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361,
> CVE-2018-19362, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086,
> CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
> CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
> CVE-2019-17267, CVE-2019-17531
>
> flink-shaded-guava-18.0-2.0.jar/META-INF/maven/com.google.guava/guava/pom.xml
> (pkg:maven/com.google.guava/guava@18.0,
> cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237
>
> One or more dependencies were identified with known vulnerabilities in
> ignite-rocketmq:
>
> netty-all-4.0.42.Final.jar (pkg:maven/io.netty/netty-all@4.0.42.Final,
> cpe:2.3:a:netty:netty:4.0.42:*:*:*:*:*:*:*) : CVE-2019-16869
> netty-tcnative-boringssl-static-1.1.33.Fork26.jar
> (pkg:maven/io.netty/netty-tcnative-boringssl-static@1.1.33.Fork26,
> cpe:2.3:a:apache:tomcat:1.1.33:*:*:*:*:*:*:*,
> cpe:2.3:a:apache:tomcat_native:1.1.33:*:*:*:*:*:*:*,
> cpe:2.3:a:apache_software_foundation:tomcat:1.1.33:*:*:*:*:*:*:*,
> cpe:2.3:a:apache_tomcat:apache_tomcat:1.1.33:*:*:*:*:*:*:*) :
> CVE-2000-1210, CVE-2001-0590, CVE-2002-0493, CVE-2005-4838, CVE-2006-7196,
> CVE-2007-1358, CVE-2007-2449, CVE-2008-0128, CVE-2009-2696, CVE-2012-5568,
> CVE-2013-2185, CVE-2013-4286, CVE-2013-4322, CVE-2013-4444, CVE-2013-4590,
> CVE-2013-6357, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119,
> CVE-2016-5425, CVE-2017-15698, CVE-2018-8019, CVE-2018-8020
>
> Main offenders seem to be "jackson-databind" and old maintenance releases
> of Spring. I think we can bump most of that.
>
> Some integrations also clearly suffer, through it's a problem of their
> users, since they need to declare their own libraries' versions by
> convention.
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> пт, 27 дек. 2019 г. в 23:59, Denis Magda <dmagda@apache.org>:
>
> > Ilya, no I see, thanks for the explanation. Agree with you, let's update
> > the versions of the dependencies to the latest.
> >
> > -
> > Denis
> >
> >
> > On Thu, Dec 26, 2019 at 10:50 PM Ilya Kasnacheev <
> > ilya.kasnacheev@gmail.com>
> > wrote:
> >
> > > Hello!
> > >
> > > I have committed ignite-spring-data_2.2 to ignite-2.8.
> > >
> > > By bumping versisons I mean the following:
> > >         <slf4j.version>1.7.*7*</slf4j.version>
> > >         <slf4j16.version>1.6.*4*</slf4j16.version>
> > >         <snappy.version>1.1.7.*2*</snappy.version>
> > >         <spark.hadoop.version>2.6.*5*</spark.hadoop.version>
> > >         <spark.version>2.3.*0*</spark.version>
> > >         <spring.data.version>1.13.*14*.RELEASE</spring.data.version>
> <!--
> > > don't forget to update spring version -->
> > >         <spring.version>4.3.*18*.RELEASE</spring.version><!--
don't
> > forget
> > > to update spring-data version -->
> > >
> >  <spring.data-2.0.version>2.0.*9*.RELEASE</spring.data-2.0.version>
> > > <!-- don't forget to update spring-5.0 version -->
> > >         <spring-5.0.version>5.0.*8*.RELEASE</spring-5.0.version><!--
> > don't
> > > forget to update spring-data-2.0 version -->
> > >
> > > All these libraries have maintenance release (such as our 2.7.*6*) and
> I
> > > think it would be beneficial to upgrade these dependencies to the
> latest
> > > maintenance version found in Maven Central.
> > > For example, there is spring.data-2.0 2.0.*14*.RELEASE.
> > >
> > > Regards,
> > > --
> > > Ilya Kasnacheev
> > >
> > >
> > > чт, 26 дек. 2019 г. в 19:32, Denis Magda <dmagda@apache.org>:
> > >
> > > > A huge +1 for adding Spring Data related fixes/improvements. Ilya is
> > > right
> > > > that Spring Data related questions sparked last time due to missing
> > > support
> > > > of 2.2 version.
> > > >
> > > > Ilya, could you elaborate on what you mean under "bumping the
> > versions"?
> > > Do
> > > > you suggest performing a straightforward upgrade of
> > "ignite-spring-data"
> > > to
> > > > version 2.2 and introducing "ignite-spring-data-{old-version"} for
> the
> > > > previous versions? If it's so, I fully agree with the proposal.
> > > >
> > > > -
> > > > Denis
> > > >
> > > >
> > > > On Thu, Dec 26, 2019 at 4:52 AM Ilya Kasnacheev <
> > > ilya.kasnacheev@gmail.com
> > > > >
> > > > wrote:
> > > >
> > > > > Hello!
> > > > >
> > > > > I propose to add the following ticket to the scope:
> > > > > https://issues.apache.org/jira/browse/IGNITE-12259 (3 commits, be
> > > > careful
> > > > > with release version)
> > > > >
> > > > > Adding tickets to scope surely seems crazy now, but I will provide
> > the
> > > > > following considerations:
> > > > > * This is Spring Data 2.2 integration, which we currently do not
> > have,
> > > > > leading to lots of confused questions on stack overflow and mailing
> > > list.
> > > > > Spring Data is important to our public image since many people may
> > > learn
> > > > > about out project by starting with Spring Data.
> > > > >
> > > > > * It has zero code impact outside of its own module (just 2 POM
> file
> > > > > touched and that's all).
> > > > >
> > > > > * The core was ready since early November but, due to gmail quirk,
> we
> > > did
> > > > > not react to it in time.
> > > > >
> > > > > WDYT?
> > > > >
> > > > > Another semi-related question. *Should we bump our dependencies'
> > > versions
> > > > > before releasing 2.8?* I talk mainly about spring and hibernate
> > > > > dependencies. We could switch them to their latest maintenance
> > versions
> > > > to
> > > > > avoid shipping default links to outdated packages.
> > > > >
> > > > > I think this is one of things that are very hard to do between
> > > releases,
> > > > so
> > > > > I think this dependencies bumping should be a part of a formal
> > > > > release/testing cycle, and then be backported to master.
> > > > >
> > > > > I could volunteer to do that myself, if we agree to merge these
> > version
> > > > > upgrades to ignite-2.8 and then re-test.
> > > > >
> > > > > Regards,
> > > > > --
> > > > > Ilya Kasnacheev
> > > > >
> > > > >
> > > > > вт, 24 дек. 2019 г. в 13:22, Zhenya Stanilovsky
> > > > <arzamas123@mail.ru.invalid
> > > > > >:
> > > > >
> > > > > >
> > > > > > Igniters, i`l try to compare 2.8 release candidate vs 2.7.6,
> > > > > > last sha 2.8 was build from :  9d114f3137f92aebc2562a
> > > > > > i use yardstick benchmarks, 4 bare machine with:  2x Xeon X5570
> > 96Gb
> > > > > 512GB
> > > > > > SSD 2048GB HDD 10GB/s
> > > > > > 1 for  client (driver) and 3 for servers.
> > > > > > this mappings for graphs and real yardstick tests:
> > > > > >
> > > > > > atomic-put: IgnitePutBenchmark
> > > > > > sql-merge-query: IgniteSqlMergeQueryBenchmark
> > > > > > atomic-get: IgniteGetBenchmark
> > > > > > tx-get: IgniteGetTxBenchmark
> > > > > > tx-put: IgnitePutTxBenchmark
> > > > > > atomic-put-all-bs-10: IgnitePutAllBenchmark
> > > > > > tx-put-all-bs-10: IgnitePutAllTxBenchmark
> > > > > >
> > > > > > cacheMode — partitioned
> > > > > > CacheWriteSynchronizationMode.FULL_SYNC
> > > > > > 1 backup
> > > > > >
> > > > > > 1. wal = log_only 2. wal = none 3. persistence disabled.
> > > > > > Thanks Maxim for wiki page [1]
> > > > > >
> > > > > >
> > > > > > [1]
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/IGNITE/Apache+Ignite+2.8#ApacheIgnite2.8-Benchmarks
> > > > > >
> > > > > > do we need some bisect or other work here ?
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > >------- Forwarded message -------
> > > > > > >From: "Maxim Muzafarov" < mmuzaf@apache.org >
> > > > > > >To:  dev@ignite.apache.org
> > > > > > >Cc:
> > > > > > >Subject: Apache Ignite 2.8 RELEASE [Time, Scope, Manager]
> > > > > > >Date: Fri, 20 Sep 2019 14:44:31 +0300
> > > > > > >
> > > > > > >Igniters,
> > > > > > >
> > > > > > >
> > > > > > >It's almost a year has passed since the last major Apache
Ignite
> > 2.7
> > > > > > >has been released. We've accumulated a lot of performance
> > > improvements
> > > > > > >and a lot of new features which are waiting for their release
> > date.
> > > > > > >Here is my list of the most interesting things from my point
> since
> > > the
> > > > > > >last major release:
> > > > > > >
> > > > > > >Service Grid,
> > > > > > >Monitoring,
> > > > > > >Recovery Read
> > > > > > >BLT auto-adjust,
> > > > > > >PDS compression,
> > > > > > >WAL page compression,
> > > > > > >Thin client: best effort affinity,
> > > > > > >Thin client: transactions support (not yet)
> > > > > > >SQL query history
> > > > > > >SQL statistics
> > > > > > >
> > > > > > >I think we should no longer wait and freeze the master branch
> > > anymore
> > > > > > >and prepare the next major release by the end of the year.
> > > > > > >
> > > > > > >
> > > > > > >I propose to discuss Time, Scope of Apache Ignite 2.8 release
> and
> > > also
> > > > > > >I want to propose myself to be the release manager of the
> planning
> > > > > > >release.
> > > > > > >
> > > > > > >Scope Freeze: November 4, 2019
> > > > > > >Code Freeze: November 18, 2019
> > > > > > >Voting Date: December 10, 2019
> > > > > > >Release Date: December 17, 2019
> > > > > > >
> > > > > > >
> > > > > > >WDYT?
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message