You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2019/11/16 00:10:42 UTC

[GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities

ccaominh opened a new pull request #8878: Address security vulnerabilities
URL: https://github.com/apache/incubator-druid/pull/8878
 
 
   Fixes #4798, #6347.
   
   ### Description
   
   Security vulnerabilities addressed by upgrading 3rd party libs:
   
   - Upgrade avro-ipc to 1.9.1
     - sonatype-2019-0115
   - Upgrade caffeine to 2.8.0
     - sonatype-2019-0282
   - Upgrade commons-beanutils to 1.9.4
     - CVE-2014-0114
   - Upgrade commons-codec to 1.13
     - sonatype-2012-0050
   - Upgrade commons-compress to 1.19
     - CVE-2019-12402
     - sonatype-2018-0293
   - Upgrade hadoop-common to 2.8.5
     - CVE-2018-11767
   - Upgrade hadoop-mapreduce-client-core to 2.8.5
     - CVE-2017-3166
   - Upgrade hibernate-validator to 5.2.5
     - CVE-2017-7536
   - Upgrade httpclient to 4.5.10
     - sonatype-2017-0359
   - Upgrade icu4j to 55.1
     - CVE-2014-8147
   - Upgrade jackson-databind to 2.6.7.3:
     - CVE-2017-7525
   - Upgrade jetty-http to 9.4.12:
     - CVE-2017-7657
     - CVE-2017-7658
     - CVE-2017-7656
     - CVE-2018-12545
   - Upgrade log4j-core to 2.8.2
     - CVE-2017-5645:
   - Upgrade netty to 3.10.6
     - CVE-2015-2156
   - Upgrade netty-common to 4.1.42
     - CVE-2019-9518
   - Upgrade netty-codec-http to 4.1.42
     - CVE-2019-16869
   - Upgrade nimbus-jose-jwt to 4.41.1
     - CVE-2017-12972
     - CVE-2017-12974
   - Upgrade plexus-utils to 3.0.24
     - CVE-2017-1000487
     - sonatype-2015-0173
     - sonatype-2016-0398
   - Upgrade postgresql to 42.2.8
     - CVE-2018-10936
   
   Note that if users are using JDBC lookups with postgres, they may need to update the JDBC jar used by the lookup extension.
   
   <hr>
   
   This PR has:
   - [x] been self-reviewed.
   - [x] added documentation for new or modified features or behaviors.
   - [x] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/incubator-druid/blob/master/licenses.yaml)
   - [x] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
   - [x] been tested in a test Druid cluster.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org