You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@zookeeper.apache.org by GitBox <gi...@apache.org> on 2021/08/05 08:51:21 UTC

[GitHub] [zookeeper] ztzg opened a new pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)

ztzg opened a new pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735


   The issue reported in CVE-2021-29425 is fixed in release 2.7:
   
   -   <https://nvd.nist.gov/vuln/detail/CVE-2021-29425>
   -   <https://issues.apache.org/jira/browse/IO-556>
   -   <https://issues.apache.org/jira/browse/IO-559>
   -   <https://commons.apache.org/proper/commons-io/changes-report.html#a2.7>
   
   This is a "conservative" update, only intended to get past the OWASP Dependency-Check tool.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

ztzg commented on pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#issuecomment-898411304


   > @ztzg you don't need to "force push" the PR is updated automatically and the script will squash the commits into one
   
   Right.  But In this case I moved everything on top of the latest `master` and tried a few combinations because I encounter a strange Jenkins pipeline error:
   
   https://ci-hadoop.apache.org/blue/organizations/jenkins/zookeeper-precommit-github-pr/detail/PR-1735/5/pipeline/
   
   ```
   Error when executing cleanup post condition:
   org.jenkinsci.plugins.workflow.steps.MissingContextVariableException: Required context class hudson.FilePath is missing
   Perhaps you forgot to surround the code with a step that provides this, such as: node
   	at org.jenkinsci.plugins.workflow.steps.StepDescriptor.checkContextAvailability(StepDescriptor.java:266)
   	at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:296)
   	at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:193)
   	at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:122)
   ```
   
   Would you happen to know what is causing this error?  It doesn't seem to be related to the state of `master`.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

eolivelli commented on pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#issuecomment-905526230


   >  would you want me to remove the *.LICENSE.txt?
   no, please keep it
   
   > . Should we merge this?
   No if CI is not green, I have restarted the job


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

nkalmar commented on pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#issuecomment-899521315


   It looks like as if it is some kind of jenkins description problem:
   ```
   Error when executing cleanup post condition:
   
   org.jenkinsci.plugins.workflow.steps.MissingContextVariableException: Required context class hudson.FilePath is missing
   
   Perhaps you forgot to surround the code with a step that provides this, such as: node
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

ztzg edited a comment on pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#issuecomment-905613856


   > > would you want me to remove the *.LICENSE.txt?
   >
   > no, please keep it
   
   Okay.
   
   > > . Should we merge this?
   >
   > No if CI is not green, I have restarted the job
   
   Ah, the GitHub CI runs finally went through. (I had restarted the job a couple of times already, but kept hitting random flaky errors.  Isn't the `full-build-java-tests, 11` job kinda redundant wrt. to the Jenkins run, which was already passing?  I obviously wouldn't suggest to ignore CI in general.)
   
   Should I take care of the merge?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

ztzg commented on pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#issuecomment-905613856


   > > would you want me to remove the *.LICENSE.txt?
   > no, please keep it
   
   Okay.
   
   > > . Should we merge this?
   > No if CI is not green, I have restarted the job
   
   Ah, the GitHub CI runs finally went through. (I had restarted the job a couple of times already, but kept hitting random flaky errors.  Isn't the `full-build-java-tests, 11` job kinda redundant wrt. to the Jenkins run, which was already passing?  I obviously wouldn't suggest to ignore CI in general.)
   
   Should I take care of the merge?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

ztzg commented on pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#issuecomment-893289952


   @nkalmar, @eolivelli: This one is only for `master` (the dependency on `commons-io` was introduced by [ZOOKEEPER-3922](https://issues.apache.org/jira/browse/ZOOKEEPER-3922), "introduction of the oracle, a failure detector."
   
   I have a few notes/questions:
   
   -   I have refactored the `commons-io` dependency into the toplevel POM, which is why there are two commits;
   -   Should I try and bump to the latest version of `commons-io`, which is 2.11?
   -   I have added the "missing" `*.LICENSE.txt` file for `commons-io` (it mirrors `META-INF/LICENSE.txt` in the Maven-downloaded JAR). But perhaps that file was "missing" on purpose?
   
   Cheers, -D
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

ztzg commented on a change in pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#discussion_r695741001



##########
File path: zookeeper-server/src/main/resources/lib/commons-io-2.7.LICENSE.txt
##########
@@ -0,0 +1,203 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

Review comment:
       Right.  I added that file because we already have equivalents for `jetty`, `jline`, `log4j`, `metrics`, `netty`, `simpleclient`, `slf4j` and `snappy`.
   
   Are you saying that the set should be completed all at once, rather than piecewise?  If so, would you like me to remove this one?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg closed pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

ztzg closed pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

eolivelli commented on pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#issuecomment-898409655


   @ztzg you don't need to "force push" the PR is updated automatically and the script will squash the commits into one


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

ztzg commented on pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#issuecomment-893289952


   @nkalmar, @eolivelli: This one is only for `master` (the dependency on `commons-io` was introduced by [ZOOKEEPER-3922](https://issues.apache.org/jira/browse/ZOOKEEPER-3922), "introduction of the oracle, a failure detector."
   
   I have a few notes/questions:
   
   -   I have refactored the `commons-io` dependency into the toplevel POM, which is why there are two commits;
   -   Should I try and bump to the latest version of `commons-io`, which is 2.11?
   -   I have added the "missing" `*.LICENSE.txt` file for `commons-io` (it mirrors `META-INF/LICENSE.txt` in the Maven-downloaded JAR). But perhaps that file was "missing" on purpose?
   
   Cheers, -D
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] nkalmar edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

nkalmar edited a comment on pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#issuecomment-899521315


   It looks like as if it is some kind of jenkins job description problem:
   ```
   Error when executing cleanup post condition:
   
   org.jenkinsci.plugins.workflow.steps.MissingContextVariableException: Required context class hudson.FilePath is missing
   
   Perhaps you forgot to surround the code with a step that provides this, such as: node
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

ztzg commented on pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#issuecomment-905492979


   @eolivelli, @nkalmar: The Jenkins job description problem went away (I suppose it was an infrastructure misconfiguration).  Some flaky request throttling tests keep failing on the GitHub CI runner, but passed on Jenkins.  Should we merge this?  (@enrico: would you want me to remove the `*.LICENSE.txt`?)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] eolivelli commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

eolivelli commented on a change in pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#discussion_r688459944



##########
File path: zookeeper-server/src/main/resources/lib/commons-io-2.7.LICENSE.txt
##########
@@ -0,0 +1,203 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

Review comment:
       I am not sure we need this file
   
   btw I like to have a consistent way of handling license files (having the license for every jar file is better)




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

ztzg edited a comment on pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#issuecomment-905613856


   > > would you want me to remove the *.LICENSE.txt?
   >
   > no, please keep it
   
   Okay.
   
   > > . Should we merge this?
   >
   > No if CI is not green, I have restarted the job
   
   Ah, the GitHub CI runs finally went through. (I had restarted the job a couple of times already, but kept hitting random flaky errors.  Isn't the `full-build-java-tests, 11` job kinda redundant wrt. to the Jenkins run, which was already passing?  I obviously wouldn't suggest to ignore CI in general.)
   
   Should I take care of the merge?
   
   P.-S. — Hopefully https://github.com/apache/zookeeper/pull/1739 will help.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)

Posted by GitBox <gi...@apache.org>.

nkalmar commented on pull request #1735:
URL: https://github.com/apache/zookeeper/pull/1735#issuecomment-894054638


   Thank you @ztzg , I agree, should be defined in top level pom. 
   If moving to 2.11 works with little to no work required, I say let's go for it. The newer the better. If we touch a dependency, we should upgrade to the latest possible, IMHO.
   
   Also, good catch on the license file! Not an expert here, but quickly checking, metrics-core for example also has apache 2.0 license and we include it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org