You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@asterixdb.apache.org by AsterixDB Code Review <do...@asterix-gerrit.ics.uci.edu> on 2022/10/18 03:28:24 UTC

Change in asterixdb[master]: [NO ISSUE][RT] Upgrade commons-text to 1.10.0

From Ian Maxon <im...@uci.edu>:

Ian Maxon has uploaded this change for review. ( https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17241 )


Change subject: [NO ISSUE][RT] Upgrade commons-text to 1.10.0
......................................................................

[NO ISSUE][RT] Upgrade commons-text to 1.10.0

- user model changes: no
- storage format changes: no
- interface changes: no

details:

- We probably don't use this in any vulnerable way, but
  it is a noxious vulnerability to have lying about.

Change-Id: Ib076d130d89077964396fcbf51602488a9e90621
---
M asterixdb/asterix-external-data/pom.xml
M hyracks-fullstack/pom.xml
2 files changed, 32 insertions(+), 1 deletion(-)



  git pull ssh://asterix-gerrit.ics.uci.edu:29418/asterixdb refs/changes/41/17241/1

diff --git a/asterixdb/asterix-external-data/pom.xml b/asterixdb/asterix-external-data/pom.xml
index dea4278..883f7f1 100644
--- a/asterixdb/asterix-external-data/pom.xml
+++ b/asterixdb/asterix-external-data/pom.xml
@@ -352,6 +352,13 @@
     <dependency>
       <groupId>org.apache.hadoop</groupId>
       <artifactId>hadoop-common</artifactId>
+      <exclusions>
+        <!-- CVE-2022-42889 -->
+        <exclusion>
+          <groupId>org.apache.commons</groupId>
+          <artifactId>commons-text</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.apache.hadoop</groupId>
@@ -556,6 +563,12 @@
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-util-ajax</artifactId>
     </dependency>
+    <!-- CVE-2022-42889 -->
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-text</artifactId>
+      <version>1.10.0</version>
+    </dependency>
   </dependencies>
   <!-- apply patch for HADOOP-17225 to workaround CVE-2019-10172 -->
   <repositories>
diff --git a/hyracks-fullstack/pom.xml b/hyracks-fullstack/pom.xml
index 4345a1d..8b94749 100644
--- a/hyracks-fullstack/pom.xml
+++ b/hyracks-fullstack/pom.xml
@@ -274,7 +274,7 @@
       <dependency>
         <groupId>org.apache.commons</groupId>
         <artifactId>commons-text</artifactId>
-        <version>1.9</version>
+        <version>1.10.0</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>

-- 
To view, visit https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17241
To unsubscribe, or for help writing mail filters, visit https://asterix-gerrit.ics.uci.edu/settings

Gerrit-Project: asterixdb
Gerrit-Branch: master
Gerrit-Change-Id: Ib076d130d89077964396fcbf51602488a9e90621
Gerrit-Change-Number: 17241
Gerrit-PatchSet: 1
Gerrit-Owner: Ian Maxon <im...@uci.edu>
Gerrit-MessageType: newchange