You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2021/07/21 10:52:46 UTC

[GitHub] [ozone] elek opened a new pull request #2449: Bump jety version to 9.4.41.v20210516

elek opened a new pull request #2449:
URL: https://github.com/apache/ozone/pull/2449


   ## What changes were proposed in this pull request?
   
   Recent jetty versions contain multiple security [vulnerabilities](https://github.com/eclipse/jetty.project/security). Most of them are low priorities, but it seems to be better to update the jetty versions. 
   
   ## How was this patch tested?
   
   Full CI passed on my fork + checked if the `share/ozone/lib` folder contains only jetty jars with the new version.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] ayushtkn commented on a change in pull request #2449: HDDS-5473. Bump jety version to 9.4.41.v20210516

Posted by GitBox <gi...@apache.org>.

ayushtkn commented on a change in pull request #2449:
URL: https://github.com/apache/ozone/pull/2449#discussion_r674188980



##########
File path: pom.xml
##########
@@ -96,7 +96,7 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xs
 
     <failIfNoTests>false</failIfNoTests>
     <maven.test.redirectTestOutputToFile>true</maven.test.redirectTestOutputToFile>
-    <jetty.version>9.4.35.v20201120</jetty.version>
+    <jetty.version>9.4.41.v20210516</jetty.version>

Review comment:
       Any reason for not using ``9.4.43.v20210629``? Or we just want to cover the CVE fix?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] adoroszlai commented on a change in pull request #2449: HDDS-5473. Bump jetty version to 9.4.41.v20210516

Posted by GitBox <gi...@apache.org>.

adoroszlai commented on a change in pull request #2449:
URL: https://github.com/apache/ozone/pull/2449#discussion_r677375289



##########
File path: pom.xml
##########
@@ -96,7 +96,7 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xs
 
     <failIfNoTests>false</failIfNoTests>
     <maven.test.redirectTestOutputToFile>true</maven.test.redirectTestOutputToFile>
-    <jetty.version>9.4.35.v20201120</jetty.version>
+    <jetty.version>9.4.41.v20210516</jetty.version>

Review comment:
       We may want to go with 9.4.43, as the most recent CVE is only fixed in that version: https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] adoroszlai commented on pull request #2449: HDDS-5473. Bump jetty version to 9.4.43.v20210629

Posted by GitBox <gi...@apache.org>.

adoroszlai commented on pull request #2449:
URL: https://github.com/apache/ozone/pull/2449#issuecomment-894037323


   Thanks @elek for the fix, @ayushtkn and @jojochuang for the review.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] adoroszlai merged pull request #2449: HDDS-5473. Bump jetty version to 9.4.43.v20210629

Posted by GitBox <gi...@apache.org>.

adoroszlai merged pull request #2449:
URL: https://github.com/apache/ozone/pull/2449


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] jojochuang commented on pull request #2449: HDDS-5473. Bump jetty version to 9.4.41.v20210516

Posted by GitBox <gi...@apache.org>.

jojochuang commented on pull request #2449:
URL: https://github.com/apache/ozone/pull/2449#issuecomment-887186970


   triggering the test again. i think it's fine to use 9.4.41 to cover known issues.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] adoroszlai commented on pull request #2449: HDDS-5473. Bump jetty version to 9.4.43.v20210629

Posted by GitBox <gi...@apache.org>.

adoroszlai commented on pull request #2449:
URL: https://github.com/apache/ozone/pull/2449#issuecomment-889212532


   @elek Thanks for the fix.  I've updated the PR with the latest Jetty version to cover most recent CVE, too.  I've also improved `update-jar-report.sh` to remove Jetty versions (which do not fit standard version number scheme).  Please let me know what you think.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org