You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by pe...@apache.org on 2021/04/19 13:16:33 UTC

[pulsar] branch master updated: [Security] Remove jackson-mapper-asl dependency to resolve multiple CVEs (#10262)

This is an automated email from the ASF dual-hosted git repository.

penghui pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new e52a9dc  [Security] Remove jackson-mapper-asl dependency to resolve multiple CVEs (#10262)
e52a9dc is described below

commit e52a9dc4426a5d03af4b7818ec39677fab668aed
Author: Lari Hotari <lh...@users.noreply.github.com>
AuthorDate: Mon Apr 19 16:15:57 2021 +0300

    [Security] Remove jackson-mapper-asl dependency to resolve multiple CVEs (#10262)
    
    - jackson-mapper-asl is not required since Zookeeper 3.6.x+ no more depends
      on jackson-mapper-asl library (ZOOKEEPER-3051)
    - jackson-mapper-asl was replaced in Avro 1.9.x so it's not required because of
      Avro
---
 distribution/server/src/assemble/LICENSE.bin.txt | 2 --
 pom.xml                                          | 4 ++++
 pulsar-broker-shaded/pom.xml                     | 2 --
 pulsar-client-all/pom.xml                        | 2 --
 pulsar-client-shaded/pom.xml                     | 2 --
 5 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
index ae830a8..ae14f21 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -320,8 +320,6 @@ The Apache Software License, Version 2.0
      - com.fasterxml.jackson.jaxrs-jackson-jaxrs-json-provider-2.11.1.jar
      - com.fasterxml.jackson.module-jackson-module-jaxb-annotations-2.11.1.jar
      - com.fasterxml.jackson.module-jackson-module-jsonSchema-2.11.1.jar
-     - org.codehaus.jackson-jackson-core-asl-1.9.11.jar
-     - org.codehaus.jackson-jackson-mapper-asl-1.9.11.jar
  * Caffeine -- com.github.ben-manes.caffeine-caffeine-2.6.2.jar
  * Conscrypt -- org.conscrypt-conscrypt-openjdk-uber-2.5.1.jar
  * Proto Google Common Protos -- com.google.api.grpc-proto-google-common-protos-1.17.0.jar
diff --git a/pom.xml b/pom.xml
index 57ca03b..ac23280 100644
--- a/pom.xml
+++ b/pom.xml
@@ -443,6 +443,10 @@ flexible messaging model and an intuitive client API.</description>
             <groupId>io.grpc</groupId>
             <artifactId>grpc-all</artifactId>
           </exclusion>
+          <exclusion>
+            <groupId>org.codehaus.jackson</groupId>
+            <artifactId>jackson-mapper-asl</artifactId>
+          </exclusion>
         </exclusions>
       </dependency>
 
diff --git a/pulsar-broker-shaded/pom.xml b/pulsar-broker-shaded/pom.xml
index 94f30a7..147aaa1 100644
--- a/pulsar-broker-shaded/pom.xml
+++ b/pulsar-broker-shaded/pom.xml
@@ -148,8 +148,6 @@
                   <include>org.aspectj:*</include>
                   <include>org.apache.avro:avro</include>
                   <!-- Avro transitive dependencies-->
-                  <include>org.codehaus.jackson:jackson-core-asl</include>
-                  <include>org.codehaus.jackson:jackson-mapper-asl</include>
                   <include>com.thoughtworks.paranamer:paranamer</include>
                   <include>org.apache.commons:commons-compress</include>
                   <include>org.tukaani:xz</include>
diff --git a/pulsar-client-all/pom.xml b/pulsar-client-all/pom.xml
index 7d53dbf..3938227 100644
--- a/pulsar-client-all/pom.xml
+++ b/pulsar-client-all/pom.xml
@@ -177,8 +177,6 @@
                   <include>org.yaml:snakeyaml</include>
                   <include>org.apache.avro:*</include>
                   <!-- Avro transitive dependencies-->
-                  <include>org.codehaus.jackson:jackson-core-asl</include>
-                  <include>org.codehaus.jackson:jackson-mapper-asl</include>
                   <include>com.thoughtworks.paranamer:paranamer</include>
                   <include>org.apache.commons:commons-compress</include>
                   <include>org.tukaani:xz</include>
diff --git a/pulsar-client-shaded/pom.xml b/pulsar-client-shaded/pom.xml
index 1439998..8dc1176 100644
--- a/pulsar-client-shaded/pom.xml
+++ b/pulsar-client-shaded/pom.xml
@@ -157,8 +157,6 @@
 
                   <include>org.apache.avro:*</include>
                   <!-- Avro transitive dependencies-->
-                  <include>org.codehaus.jackson:jackson-core-asl</include>
-                  <include>org.codehaus.jackson:jackson-mapper-asl</include>
                   <include>com.thoughtworks.paranamer:paranamer</include>
                   <include>org.apache.commons:commons-compress</include>
                   <include>org.tukaani:xz</include>