You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@zookeeper.apache.org by GitBox <gi...@apache.org> on 2020/11/23 15:23:25 UTC

[GitHub] [zookeeper] anmolnar opened a new pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

anmolnar opened a new pull request #1549:
URL: https://github.com/apache/zookeeper/pull/1549


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] nkalmar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Posted by GitBox <gi...@apache.org>.

nkalmar commented on pull request #1549:
URL: https://github.com/apache/zookeeper/pull/1549#issuecomment-733030651


   Merged to master, 3.6 and 3.5 branch. 
   The 3.5 and 3.6 branch did not have prior jetty licenses... find did not find any either. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Posted by GitBox <gi...@apache.org>.

anmolnar commented on pull request #1549:
URL: https://github.com/apache/zookeeper/pull/1549#issuecomment-732277849


   @eolivelli @phunt I'm not sure where to get an up-to-date license file from.
   The most confusing part is that I found Eclipse Public Lincence in latest Jetty release tarball and also in the version that we're using now, despite that we include ASF licence in Jetty licence file in our codebase.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] eolivelli commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Posted by GitBox <gi...@apache.org>.

eolivelli commented on pull request #1549:
URL: https://github.com/apache/zookeeper/pull/1549#issuecomment-732285527


   @anmolnar AFAIK Jetty is moving from JavaEE to JarkartaEE.
   It is also possible that we are going to include other new jars in the "lib" directory.
   
   Probably we have to use the "Eclipse Public License", we usually rename those files without looking at the real license of Jetty.
   
   Thanks for pointing it out, it is actually a great catch !


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] asfgit closed pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Posted by GitBox <gi...@apache.org>.

asfgit closed pull request #1549:
URL: https://github.com/apache/zookeeper/pull/1549


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Posted by GitBox <gi...@apache.org>.

ztzg commented on pull request #1549:
URL: https://github.com/apache/zookeeper/pull/1549#issuecomment-732311186


   > The most confusing part is that I found Eclipse Public Lincence in latest Jetty release tarball and also in the version that we're using now, despite that we include ASF licence in Jetty licence file in our codebase.
   
   The JAR manifest says either:
   
       Bundle-License: http://www.apache.org/licenses/LICENSE-2.0, https://www.eclipse.org/org/documents/epl-v10.php
   
   And, indeed, `META-INF/LICENSE` says **or**:
   
   > This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 which is available at http://www.eclipse.org/legal/epl-2.0, **or** the Apache Software License 2.0 which is available at https://www.apache.org/licenses/LICENSE-2.0.
   
   In case it helps: here is something I tried, which seems to work, and might facilitate future maintenance:
   
   ```sh
   rm -f zookeeper-server/src/main/resources/lib/jetty-*.LICENSE.txt
   for i in zookeeper-server/target/lib/jetty-*.jar; do
       unzip -qq -c "$i" META-INF/LICENSE \
           >"zookeeper-server/src/main/resources/lib/$(basename "$i" .jar).LICENSE.txt"
   done
   ```
   
   Cheers, -D


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] anmolnar edited a comment on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Posted by GitBox <gi...@apache.org>.

anmolnar edited a comment on pull request #1549:
URL: https://github.com/apache/zookeeper/pull/1549#issuecomment-732757766


   Thanks @eolivelli & @ztzg !
   Okay, I committed the best I can do with this. These are the LICENSE files from the latest release of Jetty tarball. They're all the same and I'm not sure why we add the same file 7 times, but I followed the pattern.
   It looks like Jetty folks hasn't replaced the Copyright pattern in Apache licence, but hopefully it's not the end of the world:
   ```
   Copyright [yyyy] [name of copyright owner]
   ```


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Posted by GitBox <gi...@apache.org>.

anmolnar commented on pull request #1549:
URL: https://github.com/apache/zookeeper/pull/1549#issuecomment-732757766


   Thanks @eolivelli & @ztzg !
   Okay, I committed the best I can do with this. These are the LICENCE files from the latest release of Jetty tarball. They're all the same and I'm not sure why we add the same file 7 times, but I followed the pattern.
   It looks like Jetty folks hasn't replaced the Copyright pattern in Apache licence, but hopefully it's not the end of the world:
   ```
   Copyright [yyyy] [name of copyright owner]
   ```


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] nkalmar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Posted by GitBox <gi...@apache.org>.

nkalmar commented on pull request #1549:
URL: https://github.com/apache/zookeeper/pull/1549#issuecomment-733031428


   Checked package, license files are there now:
   ```
   find ./ -name "jetty*.txt"
   .//zookeeper-server/src/main/resources/lib/jetty-security-9.4.34.v20201102.LICENSE.txt
   .//zookeeper-server/src/main/resources/lib/jetty-client-9.4.34.v20201102.LICENSE.txt
   .//zookeeper-server/src/main/resources/lib/jetty-http-9.4.34.v20201102.LICENSE.txt
   .//zookeeper-server/src/main/resources/lib/jetty-util-9.4.34.v20201102.LICENSE.txt
   .//zookeeper-server/src/main/resources/lib/jetty-servlet-9.4.34.v20201102.LICENSE.txt
   .//zookeeper-server/src/main/resources/lib/jetty-server-9.4.34.v20201102.LICENSE.txt
   .//zookeeper-server/src/main/resources/lib/jetty-io-9.4.34.v20201102.LICENSE.txt
   .//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-security-9.4.34.v20201102.LICENSE.txt
   .//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-client-9.4.34.v20201102.LICENSE.txt
   .//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-http-9.4.34.v20201102.LICENSE.txt
   .//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-util-9.4.34.v20201102.LICENSE.txt
   .//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-servlet-9.4.34.v20201102.LICENSE.txt
   .//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-server-9.4.34.v20201102.LICENSE.txt
   .//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-io-9.4.34.v20201102.LICENSE.txt
   ```


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org