You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by GitBox <gi...@apache.org> on 2021/07/02 02:41:19 UTC

[GitHub] [zeppelin] EricGao888 opened a new pull request #4160: [ZEPPELIN-5434] Upgrade jetty to 9.4.42.v20210604

EricGao888 opened a new pull request #4160:
URL: https://github.com/apache/zeppelin/pull/4160


   ### What is this PR for?
   * Upgrade jetty to 9.4.42.v20210604
   
   
   ### What type of PR is it?
   * Bug Fix
   
   ### Todos
   * None
   
   ### What is the Jira issue?
   * https://issues.apache.org/jira/browse/ZEPPELIN-5434
   
   ### How should this be tested?
   * Locally tested.
   
   ### Screenshots (if appropriate)
   
   ### Questions:
   * Does the licenses files need update?
   * Is there breaking changes for older versions?
   * Does this needs documentation?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] EricGao888 commented on pull request #4160: [ZEPPELIN-5434] Upgrade jetty to 9.4.42.v20210604

Posted by GitBox <gi...@apache.org>.

EricGao888 commented on pull request #4160:
URL: https://github.com/apache/zeppelin/pull/4160#issuecomment-874557842


   > Please test manually, it seems that the server does not start. Thank you for submitting the PR to close security gaps.
   
   Tested again, couldn't start server. Got warning message like that:
   
   ` WARN [2021-07-06 15:54:34,822] ({main} WebAppContext.java[doStart]:533) - Failed startup of context o.e.j.w.WebAppContext@7e5c856f{zeppelin-web,/,file:///Users/alibaba/workplace/me/zeppelin/zeppelin-web/dist/,UNAVAILABLE}
   java.lang.IllegalStateException
           at org.eclipse.jetty.servlet.ServletHolder.setClassFrom(ServletHolder.java:300)
           at org.eclipse.jetty.servlet.ServletHolder.doStart(ServletHolder.java:347)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:730)
           at java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:352)
           at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:483)
           at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
           at java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:312)
           at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:743)
           at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580)
           at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:755)
           at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:379)
           at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1449)
           at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1414)
           at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:911)
           at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:288)
           at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
           at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
           at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
           at io.micrometer.core.instrument.binder.jetty.TimedHandler.doStart(TimedHandler.java:162)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
           at org.eclipse.jetty.server.Server.start(Server.java:423)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
           at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
           at org.eclipse.jetty.server.Server.doStart(Server.java:387)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:253)
   `


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] EricGao888 commented on pull request #4160: [ZEPPELIN-5434] Upgrade jetty to 9.4.42.v20210604

Posted by GitBox <gi...@apache.org>.

EricGao888 commented on pull request #4160:
URL: https://github.com/apache/zeppelin/pull/4160#issuecomment-875254401


   > My experience is that we can safely upgrade to version 9.4.40.v20210413 (which is also considered insecure). Any version after April causes a JSP startup error stating that /next is not defined. Jetty must have changed something to cause this issue.
   I tried version 9.4.40.v20210413 and it did work. May I ask whether there's a way to make the 9.4.42.v20210604 version jetty compatible with zeppelin?  After all, the purpose for upgrading jetty is to solve the security problem.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] tecgie commented on pull request #4160: [ZEPPELIN-5434] Upgrade jetty to 9.4.42.v20210604

Posted by GitBox <gi...@apache.org>.

tecgie commented on pull request #4160:
URL: https://github.com/apache/zeppelin/pull/4160#issuecomment-894930590


   Same here, I couldn't figure out the fix.  Someone please try to upgrade the jetty to 9.4.43.v20210629 ASAP to address the CVEs.  Thanks.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] EricGao888 commented on pull request #4160: [ZEPPELIN-5434] Upgrade jetty to 9.4.42.v20210604

Posted by GitBox <gi...@apache.org>.

EricGao888 commented on pull request #4160:
URL: https://github.com/apache/zeppelin/pull/4160#issuecomment-872766609


   > Please test manually, it seems that the server does not start. Thank you for submitting the PR to close security gaps.
   
   Looked fine when I tested. Anyway I will double check it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] jason-ogaard commented on pull request #4160: [ZEPPELIN-5434] Upgrade jetty to 9.4.42.v20210604

Posted by GitBox <gi...@apache.org>.

jason-ogaard commented on pull request #4160:
URL: https://github.com/apache/zeppelin/pull/4160#issuecomment-894872416


   > May I ask whether there's a way to make the 9.4.42.v20210604 version jetty compatible with zeppelin? After all, the purpose for upgrading jetty is to solve the security problem.
   
   I looked into it when I first encountered the issue. Unfortunately I'm not familiar enough with Jetty to know where to make the change. I believe it's a simple matter of a configuration change but I wasn't able to determine what to change.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] EricGao888 commented on pull request #4160: [ZEPPELIN-5434] Upgrade jetty to 9.4.42.v20210604

Posted by GitBox <gi...@apache.org>.

EricGao888 commented on pull request #4160:
URL: https://github.com/apache/zeppelin/pull/4160#issuecomment-874557842


   > Please test manually, it seems that the server does not start. Thank you for submitting the PR to close security gaps.
   
   Tested again, couldn't start server. Got warning message like that:
   
   ` WARN [2021-07-06 15:54:34,822] ({main} WebAppContext.java[doStart]:533) - Failed startup of context o.e.j.w.WebAppContext@7e5c856f{zeppelin-web,/,file:///Users/alibaba/workplace/me/zeppelin/zeppelin-web/dist/,UNAVAILABLE}
   java.lang.IllegalStateException
           at org.eclipse.jetty.servlet.ServletHolder.setClassFrom(ServletHolder.java:300)
           at org.eclipse.jetty.servlet.ServletHolder.doStart(ServletHolder.java:347)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:730)
           at java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:352)
           at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:483)
           at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
           at java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:312)
           at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:743)
           at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580)
           at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:755)
           at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:379)
           at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1449)
           at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1414)
           at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:911)
           at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:288)
           at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
           at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
           at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
           at io.micrometer.core.instrument.binder.jetty.TimedHandler.doStart(TimedHandler.java:162)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
           at org.eclipse.jetty.server.Server.start(Server.java:423)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
           at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
           at org.eclipse.jetty.server.Server.doStart(Server.java:387)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:253)
   `


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] EricGao888 edited a comment on pull request #4160: [ZEPPELIN-5434] Upgrade jetty to 9.4.42.v20210604

Posted by GitBox <gi...@apache.org>.

EricGao888 edited a comment on pull request #4160:
URL: https://github.com/apache/zeppelin/pull/4160#issuecomment-874557842


   > Please test manually, it seems that the server does not start. Thank you for submitting the PR to close security gaps.
   
   Tested again, couldn't start server. Got warning message like that:
   
   ```
    WARN [2021-07-06 15:54:34,822] ({main} WebAppContext.java[doStart]:533) - Failed startup of context o.e.j.w.WebAppContext@7e5c856f{zeppelin-web,/,file:///Users/alibaba/workplace/me/zeppelin/zeppelin-web/dist/,UNAVAILABLE}
   java.lang.IllegalStateException
           at org.eclipse.jetty.servlet.ServletHolder.setClassFrom(ServletHolder.java:300)
           at org.eclipse.jetty.servlet.ServletHolder.doStart(ServletHolder.java:347)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:730)
           at java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:352)
           at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:483)
           at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
           at java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:312)
           at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:743)
           at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580)
           at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:755)
           at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:379)
           at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1449)
           at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1414)
           at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:911)
           at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:288)
           at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
           at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
           at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
           at io.micrometer.core.instrument.binder.jetty.TimedHandler.doStart(TimedHandler.java:162)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
           at org.eclipse.jetty.server.Server.start(Server.java:423)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
           at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
           at org.eclipse.jetty.server.Server.doStart(Server.java:387)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:253)
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] Reamer commented on pull request #4160: [ZEPPELIN-5434] Upgrade jetty to 9.4.42.v20210604

Posted by GitBox <gi...@apache.org>.

Reamer commented on pull request #4160:
URL: https://github.com/apache/zeppelin/pull/4160#issuecomment-872763950


   Please test manually, it seems that the server does not start. Thank you for submitting the PR to close security gaps.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] jason-ogaard commented on pull request #4160: [ZEPPELIN-5434] Upgrade jetty to 9.4.42.v20210604

Posted by GitBox <gi...@apache.org>.

jason-ogaard commented on pull request #4160:
URL: https://github.com/apache/zeppelin/pull/4160#issuecomment-873039122


   My experience is that we can safely upgrade to version 9.4.40.v20210413 (which is also considered insecure). Any version after April causes a JSP startup error stating that /next is not defined. Jetty must have changed something to cause this issue.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zeppelin] EricGao888 edited a comment on pull request #4160: [ZEPPELIN-5434] Upgrade jetty to 9.4.42.v20210604

Posted by GitBox <gi...@apache.org>.

EricGao888 edited a comment on pull request #4160:
URL: https://github.com/apache/zeppelin/pull/4160#issuecomment-874557842


   > Please test manually, it seems that the server does not start. Thank you for submitting the PR to close security gaps.
   
   Tested again, couldn't start server. Got warning message like that:
   
   ```
    WARN [2021-07-06 15:54:34,822] ({main} WebAppContext.java[doStart]:533) - Failed startup of context o.e.j.w.WebAppContext@7e5c856f{zeppelin-web,/,file:///Users/alibaba/workplace/me/zeppelin/zeppelin-web/dist/,UNAVAILABLE}
   java.lang.IllegalStateException
           at org.eclipse.jetty.servlet.ServletHolder.setClassFrom(ServletHolder.java:300)
           at org.eclipse.jetty.servlet.ServletHolder.doStart(ServletHolder.java:347)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:730)
           at java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:352)
           at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:483)
           at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
           at java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:312)
           at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:743)
           at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580)
           at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:755)
           at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:379)
           at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1449)
           at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1414)
           at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:911)
           at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:288)
           at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
           at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
           at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
           at io.micrometer.core.instrument.binder.jetty.TimedHandler.doStart(TimedHandler.java:162)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
           at org.eclipse.jetty.server.Server.start(Server.java:423)
           at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
           at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
           at org.eclipse.jetty.server.Server.doStart(Server.java:387)
           at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
           at org.apache.zeppelin.server.ZeppelinServer.main(ZeppelinServer.java:253)
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org