Address security vulnerabilities #8878
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Security vulnerabilities addressed by upgrading 3rd party libs: - Upgrade avro-ipc to 1.9.1 - sonatype-2019-0115 - Upgrade caffeine to 2.8.0 - sonatype-2019-0282 - Upgrade commons-beanutils to 1.9.4 - CVE-2014-0114 - Upgrade commons-codec to 1.13 - sonatype-2012-0050 - Upgrade commons-compress to 1.19 - CVE-2019-12402 - sonatype-2018-0293 - Upgrade hadoop-common to 2.8.5 - CVE-2018-11767 - Upgrade hadoop-mapreduce-client-core to 2.8.5 - CVE-2017-3166 - Upgrade hibernate-validator to 5.2.5 - CVE-2017-7536 - Upgrade httpclient to 4.5.10 - sonatype-2017-0359 - Upgrade icu4j to 55.1 - CVE-2014-8147 - Upgrade jackson-databind to 2.6.7.3: - CVE-2017-7525 - Upgrade jetty-http to 9.4.12: - CVE-2017-7657 - CVE-2017-7658 - CVE-2017-7656 - CVE-2018-12545 - Upgrade log4j-core to 2.8.2 - CVE-2017-5645: - Upgrade netty to 3.10.6 - CVE-2015-2156 - Upgrade netty-common to 4.1.42 - CVE-2019-9518 - Upgrade netty-codec-http to 4.1.42 - CVE-2019-16869 - Upgrade nimbus-jose-jwt to 4.41.1 - CVE-2017-12972 - CVE-2017-12974 - Upgrade plexus-utils to 3.0.24 - CVE-2017-1000487 - sonatype-2015-0173 - sonatype-2016-0398 - Upgrade postgresql to 42.2.8 - CVE-2018-10936 Note that if users are using JDBC lookups with postgres, they may need to update the JDBC jar used by the lookup extension.
|
I believe the Travis failure is due to a flaky integration test as the test passed for the first commit (https://travis-ci.org/apache/incubator-druid/builds/612644687?utm_source=github_status&utm_medium=notification) and the second commit only changed code related to license checking. |
|
I restarted the travis job that failed. The LGTM analysis seems hung up on an |
|
Google seems to think this might be related to proxy settings potentially.
Has anything changed in the CI config?
…On Sun, Nov 17, 2019 at 9:27 AM Gian Merlino ***@***.***> wrote:
I restarted the travis job that failed.
The LGTM analysis seems hung up on an npm step. @vogievetsky
<https://github.com/vogievetsky> or other npm gurus - any idea what might
be going on here? (I've seen a similar error on other PRs.)
[2019-11-16 05:22:35] [autobuild] [INFO] Running 'npm ci' in /opt/src/web-console
[2019-11-16 05:24:03] [autobuild] [ERROR] npm ERR! code E400
[2019-11-16 05:24:03] [autobuild] [ERROR] npm ERR! 400 Bad Request: ***@***.***
[2019-11-16 05:24:33] [autobuild] [ERROR]
[2019-11-16 05:24:33] [autobuild] [ERROR] npm ERR! A complete log of this run can be found in:
[2019-11-16 05:24:33] [autobuild] [ERROR] npm ERR! /opt/work/.npm/_logs/2019-11-16T05_24_03_938Z-debug.log
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#8878>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAPSYCUAHGLYFQN46RDH2J3QUF5I3ANCNFSM4JOCNYWQ>
.
--
Jad Naous
Imply | VP R&D
650-521-3425
jad.naous@imply.io
|
|
Strange, nothing changed in the npm deps lately also |
|
@ccaominh Have you tested this with a live Druid + live Hadoop cluster combination? |
|
@ccaominh Could you also try merging in master, it should fix LGTM. |
|
@gianm I've tested with the hadoop tutorial (https://druid.apache.org/docs/latest/tutorials/tutorial-batch-hadoop.html). Are there additional tests you suggest? |
I think that's a good test. The Docker-based cluster is real enough. We can test it more after merging and before release. Thanks. |
|
Thanks, looks good now! |
jon-wei
pushed a commit
to jon-wei/druid
that referenced
this pull request
Nov 26, 2019
* Address security vulnerabilities Security vulnerabilities addressed by upgrading 3rd party libs: - Upgrade avro-ipc to 1.9.1 - sonatype-2019-0115 - Upgrade caffeine to 2.8.0 - sonatype-2019-0282 - Upgrade commons-beanutils to 1.9.4 - CVE-2014-0114 - Upgrade commons-codec to 1.13 - sonatype-2012-0050 - Upgrade commons-compress to 1.19 - CVE-2019-12402 - sonatype-2018-0293 - Upgrade hadoop-common to 2.8.5 - CVE-2018-11767 - Upgrade hadoop-mapreduce-client-core to 2.8.5 - CVE-2017-3166 - Upgrade hibernate-validator to 5.2.5 - CVE-2017-7536 - Upgrade httpclient to 4.5.10 - sonatype-2017-0359 - Upgrade icu4j to 55.1 - CVE-2014-8147 - Upgrade jackson-databind to 2.6.7.3: - CVE-2017-7525 - Upgrade jetty-http to 9.4.12: - CVE-2017-7657 - CVE-2017-7658 - CVE-2017-7656 - CVE-2018-12545 - Upgrade log4j-core to 2.8.2 - CVE-2017-5645: - Upgrade netty to 3.10.6 - CVE-2015-2156 - Upgrade netty-common to 4.1.42 - CVE-2019-9518 - Upgrade netty-codec-http to 4.1.42 - CVE-2019-16869 - Upgrade nimbus-jose-jwt to 4.41.1 - CVE-2017-12972 - CVE-2017-12974 - Upgrade plexus-utils to 3.0.24 - CVE-2017-1000487 - sonatype-2015-0173 - sonatype-2016-0398 - Upgrade postgresql to 42.2.8 - CVE-2018-10936 Note that if users are using JDBC lookups with postgres, they may need to update the JDBC jar used by the lookup extension. * Fix license for postgresql
Closed
debasatwa29
pushed a commit
to debasatwa29/druid
that referenced
this pull request
Jun 2, 2022
…ilities Summary: Druid is running with JVM 1.8.0_232 but log4j 2.5 so it's P1 rather than p0. Pull upstream to upgrade log4j to 2.15.0 to address security vulnerabilities Changes are from the following upstream PRs: # Upgrade log4j from 2.8.2 to 2.15.0 apache#12051 apache#12056 # Upgrade log4j from 2.5 to 2.8.2 apache#8878 Reviewers: O1139 Druid, jgu, itallam Reviewed By: O1139 Druid, jgu, itallam Subscribers: jenkins, shawncao, #realtime-analytics Differential Revision: https://phabricator.pinadmin.com/D823708
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #4798.
Fixes #6347.
Description
Security vulnerabilities addressed by upgrading 3rd party libs:
Note that if users are using JDBC lookups with postgres, they may need to update the JDBC jar used by the lookup extension.
This PR has: