You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@seatunnel.apache.org by we...@apache.org on 2022/04/25 07:29:55 UTC
[incubator-seatunnel] branch dev updated: [Bug][fastjson] Upgrade fastjson, fix deserialization remote code execution vulnerability (#1737)
This is an automated email from the ASF dual-hosted git repository.
wenjun pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/incubator-seatunnel.git
The following commit(s) were added to refs/heads/dev by this push:
new d8b2309f [Bug][fastjson] Upgrade fastjson, fix deserialization remote code execution vulnerability (#1737)
d8b2309f is described below
commit d8b2309f53c628a67e8e8bc684821438441d22d3
Author: ChunFu Wu <31...@qq.com>
AuthorDate: Mon Apr 25 15:29:48 2022 +0800
[Bug][fastjson] Upgrade fastjson, fix deserialization remote code execution vulnerability (#1737)
* Upgrade fastjson version
* fix codestyle check filed
---
.github/workflows/backend.yml | 5 ++---
pom.xml | 2 +-
seatunnel-dist/release-docs/LICENSE | 2 +-
tools/dependencies/known-dependencies.txt | 2 +-
4 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
index 2dd1e2d0..1bc59d3a 100644
--- a/.github/workflows/backend.yml
+++ b/.github/workflows/backend.yml
@@ -56,13 +56,12 @@ jobs:
${{ runner.os }}-maven-
- name: Check Style
run: |
- ./mvnw -T 2C -B checkstyle:check scalastyle:check --no-snapshot-updates
+ ./mvnw -T 2C -B checkstyle:check --no-snapshot-updates
- name: Build and Package
run: |
- ./mvnw -B install \
+ ./mvnw -B install scalastyle:check \
-Dmaven.test.skip=true \
-Dcheckstyle.skip=true \
- -Dscalastyle.skip=true \
-Dlicense.skipAddThirdParty=true \
-Dhttp.keepAlive=false \
-Dmaven.wagon.http.pool=false \
diff --git a/pom.xml b/pom.xml
index af002857..a1cce8f0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -99,7 +99,7 @@
<hudi.version>0.10.0</hudi.version>
<hadoop.binary.version>2.7</hadoop.binary.version>
<hadoop.version>2.7.5</hadoop.version>
- <fastjson.version>1.2.60</fastjson.version>
+ <fastjson.version>1.2.80</fastjson.version>
<jackson.version>2.12.6</jackson.version>
<lombok.version>1.18.0</lombok.version>
<mysql.version>8.0.16</mysql.version>
diff --git a/seatunnel-dist/release-docs/LICENSE b/seatunnel-dist/release-docs/LICENSE
index d4cd4db0..302f0de4 100644
--- a/seatunnel-dist/release-docs/LICENSE
+++ b/seatunnel-dist/release-docs/LICENSE
@@ -252,7 +252,7 @@ The text of each license is the standard Apache 2.0 license.
(Apache 2) chill-java (com.twitter:chill-java:0.7.6 - https://github.com/twitter/chill)
(Apache 2) chill-java (com.twitter:chill-java:0.8.4 - https://github.com/twitter/chill)
(Apache 2) chill-java (com.twitter:chill-java:0.9.3 - https://github.com/twitter/chill)
- (Apache 2) fastjson (com.alibaba:fastjson:1.2.60 - https://github.com/alibaba/fastjson)
+ (Apache 2) fastjson (com.alibaba:fastjson:1.2.80 - https://github.com/alibaba/fastjson)
(Apache 2) opencsv (com.opencsv:opencsv:4.6 - http://opencsv.sf.net)
(Apache 2) opencsv (net.sf.opencsv:opencsv:2.3 - http://opencsv.sf.net)
(Apache 2) org.roaringbitmap:RoaringBitmap (org.roaringbitmap:RoaringBitmap:0.9.0 - https://github.com/RoaringBitmap/RoaringBitmap)
diff --git a/tools/dependencies/known-dependencies.txt b/tools/dependencies/known-dependencies.txt
index a3fa4016..32699e2a 100755
--- a/tools/dependencies/known-dependencies.txt
+++ b/tools/dependencies/known-dependencies.txt
@@ -156,7 +156,7 @@ error_prone_annotations-2.3.4.jar
error_prone_annotations-2.8.0.jar
esri-geometry-api-2.2.0.jar
extendedset-0.22.1.jar
-fastjson-1.2.60.jar
+fastjson-1.2.80.jar
fastutil-6.5.6.jar
fastutil-7.0.13.jar
fastutil-8.5.4.jar