flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-8156) Bump commons-beanutils version to 1.9.3
Date Sun, 03 Dec 2017 11:12:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16275883#comment-16275883
] 

ASF GitHub Bot commented on FLINK-8156:
---------------------------------------

Github user yew1eb commented on a diff in the pull request:

    https://github.com/apache/flink/pull/5113#discussion_r154520820
  
    --- Diff: pom.xml ---
    @@ -367,11 +367,10 @@ under the License.
     				<version>3.2.2</version>
     			</dependency>
     
    -			<!-- common-beanutils-bean-collections is used by flink-shaded-hadoop2 -->
     			<dependency>
     				<groupId>commons-beanutils</groupId>
    -				<artifactId>commons-beanutils-bean-collections</artifactId>
    -				<version>1.8.3</version>
    +				<artifactId>commons-beanutils</artifactId>
    +				<version>1.9.3</version>
    --- End diff --
    
    The 1.8.x releases of BeanUtils have distributed three jars:
    - commons-beanutils.jar - contains everything
    - commons-beanutils-core.jar - excludes Bean Collections classes
    - commons-beanutils-bean-collections.jar - only Bean Collections classes
    
    Version 1.9.0 reverts this split for reasons outlined at [BEANUTILS-379](http://issues.apache.org/jira/browse/BEANUTILS-379).
There is now only one jar for the BeanUtils library.



> Bump commons-beanutils version to 1.9.3
> ---------------------------------------
>
>                 Key: FLINK-8156
>                 URL: https://issues.apache.org/jira/browse/FLINK-8156
>             Project: Flink
>          Issue Type: Bug
>          Components: Build System
>    Affects Versions: 1.4.0
>            Reporter: Hai Zhou UTC+8
>            Assignee: Hai Zhou UTC+8
>             Fix For: 1.5.0
>
>
> Commons-beanutils v1.8.0 dependency is not security compliant. See [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]:
> {code:java}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache
Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2,
does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader
and execute arbitrary code via the class parameter, as demonstrated by the passing of this
parameter to the getClass method of the ActionForm object in Struts 1.
> {code}
> Note that current version commons-beanutils 1.9.2 in turn has a CVE in its dependency
commons-collections (CVE-2015-6420, see BEANUTILS-488), which is fixed in 1.9.3.
> We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message