You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@bookkeeper.apache.org by GitBox <gi...@apache.org> on 2021/09/14 10:24:35 UTC
[GitHub] [bookkeeper] RaulGracia opened a new pull request #2792: Upgraded dependencies with CVEs
RaulGracia opened a new pull request #2792:
URL: https://github.com/apache/bookkeeper/pull/2792
### Motivation
Minor upgrades of several dependencies to resolve publicly reported security vulnerabilities.
### Changes
Minor upgrades of the following libraries:
- bouncycastle: 1.69
- commonsIO: 2.7
- jetty: 9.4.43.v20210629
- log4j: 1.2.27
Master Issue: #2791
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] eolivelli commented on pull request #2792: Upgraded dependencies with CVEs
Posted by GitBox <gi...@apache.org>.
eolivelli commented on pull request #2792:
URL: https://github.com/apache/bookkeeper/pull/2792#issuecomment-929605657
@RaulGracia I am restarting the failed job.
I will merge as soon as CI passes
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] eolivelli commented on pull request #2792: Upgraded dependencies with CVEs
Posted by GitBox <gi...@apache.org>.
eolivelli commented on pull request #2792:
URL: https://github.com/apache/bookkeeper/pull/2792#issuecomment-919107410
@RaulGracia LICENSE check failed PTAL
```
dev/check-binary-license dev/../bookkeeper-dist/server/target/bookkeeper-server-4.15.0-SNAPSHOT-bin.tar.gz
commons-io-commons-io-2.7.jar unaccounted for in LICENSE
org.eclipse.jetty-jetty-http-9.4.43.v20210629.jar unaccounted for in LICENSE
org.eclipse.jetty-jetty-io-9.4.43.v20210629.jar unaccounted for in LICENSE
org.eclipse.jetty-jetty-security-9.4.43.v20210629.jar unaccounted for in LICENSE
org.eclipse.jetty-jetty-server-9.4.43.v20210629.jar unaccounted for in LICENSE
org.eclipse.jetty-jetty-servlet-9.4.43.v20210629.jar unaccounted for in LICENSE
org.eclipse.jetty-jetty-util-9.4.43.v20210629.jar unaccounted for in LICENSE
org.eclipse.jetty-jetty-util-ajax-9.4.43.v20210629.jar unaccounted for in LICENSE
org.slf4j-slf4j-api-1.7.32.jar unaccounted for in LICENSE
org.slf4j-slf4j-log4j12-1.7.32.jar unaccounted for in LICENSE
commons-io-commons-io-2.4.jar mentioned in LICENSE, but not bundled
org.eclipse.jetty-jetty-http-9.4.33.v20201020.jar mentioned in LICENSE, but not bundled
org.eclipse.jetty-jetty-io-9.4.33.v20201020.jar mentioned in LICENSE, but not bundled
org.eclipse.jetty-jetty-security-9.4.33.v20201020.jar mentioned in LICENSE, but not bundled
org.eclipse.jetty-jetty-server-9.4.33.v20201020.jar mentioned in LICENSE, but not bundled
org.eclipse.jetty-jetty-servlet-9.4.33.v20201020.jar mentioned in LICENSE, but not bundled
org.eclipse.jetty-jetty-util-9.4.33.v20201020.jar mentioned in LICENSE, but not bundled
org.slf4j-slf4j-api-1.7.25.jar mentioned in LICENSE, but not bundled
org.slf4j-slf4j-log4j12-1.7.25.jar mentioned in LICENSE, but not bundled
org.eclipse.jetty-jetty-http-9.4.33.v20201020.jar mentioned in NOTICE, but not bundled
org.eclipse.jetty-jetty-io-9.4.33.v20201020.jar mentioned in NOTICE, but not bundled
org.eclipse.jetty-jetty-security-9.4.33.v20201020.jar mentioned in NOTICE, but not bundled
org.eclipse.jetty-jetty-server-9.4.33.v20201020.jar mentioned in NOTICE, but not bundled
org.eclipse.jetty-jetty-servlet-9.4.33.v20201020.jar mentioned in NOTICE, but not bundled
org.eclipse.jetty-jetty-util-9.4.33.v20201020.jar mentioned in NOTICE, but not bundled
org.eclipse.jetty-jetty-util-9.4.33.v20201020.jar mentioned in NOTICE, but not bundled
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] RaulGracia commented on pull request #2792: Upgraded dependencies with CVEs
Posted by GitBox <gi...@apache.org>.
RaulGracia commented on pull request #2792:
URL: https://github.com/apache/bookkeeper/pull/2792#issuecomment-928991327
@eolivelli Can this one be merged?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] RaulGracia commented on pull request #2792: Upgraded dependencies with CVEs
Posted by GitBox <gi...@apache.org>.
RaulGracia commented on pull request #2792:
URL: https://github.com/apache/bookkeeper/pull/2792#issuecomment-928991327
@eolivelli Can this one be merged?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] eolivelli merged pull request #2792: Upgraded dependencies with CVEs
Posted by GitBox <gi...@apache.org>.
eolivelli merged pull request #2792:
URL: https://github.com/apache/bookkeeper/pull/2792
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] eolivelli merged pull request #2792: Upgraded dependencies with CVEs
Posted by GitBox <gi...@apache.org>.
eolivelli merged pull request #2792:
URL: https://github.com/apache/bookkeeper/pull/2792
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] RaulGracia commented on a change in pull request #2792: Upgraded dependencies with CVEs
Posted by GitBox <gi...@apache.org>.
RaulGracia commented on a change in pull request #2792:
URL: https://github.com/apache/bookkeeper/pull/2792#discussion_r728486965
##########
File path: dependencies.gradle
##########
@@ -50,15 +50,15 @@ depVersions = [
jackson: "2.11.1",
jcommander: "1.78",
jctools: "2.1.2",
- jetty: "9.4.31.v20200723",
+ jetty: "9.4.43.v20210629",
jmh: "1.19",
jmock: "2.8.2",
jna: "3.2.7",
jsr305: "3.0.2",
junit: "4.12",
junitFoundation: "11.0.0",
kerby: "1.1.1",
- log4j: "1.2.17",
+ log4j: "1.2.27",
Review comment:
@pkumar-singh seems that I made a mistake with this version number and the build compiled and passed all the checks, I'm very sorry for that. PR #2816 upgrades Bookkeeper to log4j2, which basically replaces this version and should fix this problem. @eolivelli before merging #2816 and fix the build, I will perform tomorrow (my morning) additional checks to validate that we are not going to find any problem when the PR is merged (looks like the PR build is not covering everything).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] pkumar-singh commented on a change in pull request #2792: Upgraded dependencies with CVEs
Posted by GitBox <gi...@apache.org>.
pkumar-singh commented on a change in pull request #2792:
URL: https://github.com/apache/bookkeeper/pull/2792#discussion_r728481842
##########
File path: dependencies.gradle
##########
@@ -50,15 +50,15 @@ depVersions = [
jackson: "2.11.1",
jcommander: "1.78",
jctools: "2.1.2",
- jetty: "9.4.31.v20200723",
+ jetty: "9.4.43.v20210629",
jmh: "1.19",
jmock: "2.8.2",
jna: "3.2.7",
jsr305: "3.0.2",
junit: "4.12",
junitFoundation: "11.0.0",
kerby: "1.1.1",
- log4j: "1.2.17",
+ log4j: "1.2.27",
Review comment:
This version does not even exist.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] pkumar-singh commented on a change in pull request #2792: Upgraded dependencies with CVEs
Posted by GitBox <gi...@apache.org>.
pkumar-singh commented on a change in pull request #2792:
URL: https://github.com/apache/bookkeeper/pull/2792#discussion_r728487605
##########
File path: dependencies.gradle
##########
@@ -50,15 +50,15 @@ depVersions = [
jackson: "2.11.1",
jcommander: "1.78",
jctools: "2.1.2",
- jetty: "9.4.31.v20200723",
+ jetty: "9.4.43.v20210629",
jmh: "1.19",
jmock: "2.8.2",
jna: "3.2.7",
jsr305: "3.0.2",
junit: "4.12",
junitFoundation: "11.0.0",
kerby: "1.1.1",
- log4j: "1.2.17",
+ log4j: "1.2.27",
Review comment:
No worries. I will take care of this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org