-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address security vulnerabilities #8878
Conversation
Security vulnerabilities addressed by upgrading 3rd party libs: - Upgrade avro-ipc to 1.9.1 - sonatype-2019-0115 - Upgrade caffeine to 2.8.0 - sonatype-2019-0282 - Upgrade commons-beanutils to 1.9.4 - CVE-2014-0114 - Upgrade commons-codec to 1.13 - sonatype-2012-0050 - Upgrade commons-compress to 1.19 - CVE-2019-12402 - sonatype-2018-0293 - Upgrade hadoop-common to 2.8.5 - CVE-2018-11767 - Upgrade hadoop-mapreduce-client-core to 2.8.5 - CVE-2017-3166 - Upgrade hibernate-validator to 5.2.5 - CVE-2017-7536 - Upgrade httpclient to 4.5.10 - sonatype-2017-0359 - Upgrade icu4j to 55.1 - CVE-2014-8147 - Upgrade jackson-databind to 2.6.7.3: - CVE-2017-7525 - Upgrade jetty-http to 9.4.12: - CVE-2017-7657 - CVE-2017-7658 - CVE-2017-7656 - CVE-2018-12545 - Upgrade log4j-core to 2.8.2 - CVE-2017-5645: - Upgrade netty to 3.10.6 - CVE-2015-2156 - Upgrade netty-common to 4.1.42 - CVE-2019-9518 - Upgrade netty-codec-http to 4.1.42 - CVE-2019-16869 - Upgrade nimbus-jose-jwt to 4.41.1 - CVE-2017-12972 - CVE-2017-12974 - Upgrade plexus-utils to 3.0.24 - CVE-2017-1000487 - sonatype-2015-0173 - sonatype-2016-0398 - Upgrade postgresql to 42.2.8 - CVE-2018-10936 Note that if users are using JDBC lookups with postgres, they may need to update the JDBC jar used by the lookup extension.
I believe the Travis failure is due to a flaky integration test as the test passed for the first commit (https://travis-ci.org/apache/incubator-druid/builds/612644687?utm_source=github_status&utm_medium=notification) and the second commit only changed code related to license checking. |
I restarted the travis job that failed. The LGTM analysis seems hung up on an
|
Google seems to think this might be related to proxy settings potentially.
Has anything changed in the CI config?
…On Sun, Nov 17, 2019 at 9:27 AM Gian Merlino ***@***.***> wrote:
I restarted the travis job that failed.
The LGTM analysis seems hung up on an npm step. @vogievetsky
<https://github.com/vogievetsky> or other npm gurus - any idea what might
be going on here? (I've seen a similar error on other PRs.)
[2019-11-16 05:22:35] [autobuild] [INFO] Running 'npm ci' in /opt/src/web-console
[2019-11-16 05:24:03] [autobuild] [ERROR] npm ERR! code E400
[2019-11-16 05:24:03] [autobuild] [ERROR] npm ERR! 400 Bad Request: ***@***.***
[2019-11-16 05:24:33] [autobuild] [ERROR]
[2019-11-16 05:24:33] [autobuild] [ERROR] npm ERR! A complete log of this run can be found in:
[2019-11-16 05:24:33] [autobuild] [ERROR] npm ERR! /opt/work/.npm/_logs/2019-11-16T05_24_03_938Z-debug.log
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#8878>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAPSYCUAHGLYFQN46RDH2J3QUF5I3ANCNFSM4JOCNYWQ>
.
--
Jad Naous
Imply | VP R&D
650-521-3425
jad.naous@imply.io
|
Strange, nothing changed in the npm deps lately also |
@ccaominh Have you tested this with a live Druid + live Hadoop cluster combination? |
@ccaominh Could you also try merging in master, it should fix LGTM. |
@gianm I've tested with the hadoop tutorial (https://druid.apache.org/docs/latest/tutorials/tutorial-batch-hadoop.html). Are there additional tests you suggest? |
I think that's a good test. The Docker-based cluster is real enough. We can test it more after merging and before release. Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 after CI.
Thanks, looks good now! |
* Address security vulnerabilities Security vulnerabilities addressed by upgrading 3rd party libs: - Upgrade avro-ipc to 1.9.1 - sonatype-2019-0115 - Upgrade caffeine to 2.8.0 - sonatype-2019-0282 - Upgrade commons-beanutils to 1.9.4 - CVE-2014-0114 - Upgrade commons-codec to 1.13 - sonatype-2012-0050 - Upgrade commons-compress to 1.19 - CVE-2019-12402 - sonatype-2018-0293 - Upgrade hadoop-common to 2.8.5 - CVE-2018-11767 - Upgrade hadoop-mapreduce-client-core to 2.8.5 - CVE-2017-3166 - Upgrade hibernate-validator to 5.2.5 - CVE-2017-7536 - Upgrade httpclient to 4.5.10 - sonatype-2017-0359 - Upgrade icu4j to 55.1 - CVE-2014-8147 - Upgrade jackson-databind to 2.6.7.3: - CVE-2017-7525 - Upgrade jetty-http to 9.4.12: - CVE-2017-7657 - CVE-2017-7658 - CVE-2017-7656 - CVE-2018-12545 - Upgrade log4j-core to 2.8.2 - CVE-2017-5645: - Upgrade netty to 3.10.6 - CVE-2015-2156 - Upgrade netty-common to 4.1.42 - CVE-2019-9518 - Upgrade netty-codec-http to 4.1.42 - CVE-2019-16869 - Upgrade nimbus-jose-jwt to 4.41.1 - CVE-2017-12972 - CVE-2017-12974 - Upgrade plexus-utils to 3.0.24 - CVE-2017-1000487 - sonatype-2015-0173 - sonatype-2016-0398 - Upgrade postgresql to 42.2.8 - CVE-2018-10936 Note that if users are using JDBC lookups with postgres, they may need to update the JDBC jar used by the lookup extension. * Fix license for postgresql
…ilities Summary: Druid is running with JVM 1.8.0_232 but log4j 2.5 so it's P1 rather than p0. Pull upstream to upgrade log4j to 2.15.0 to address security vulnerabilities Changes are from the following upstream PRs: # Upgrade log4j from 2.8.2 to 2.15.0 apache#12051 apache#12056 # Upgrade log4j from 2.5 to 2.8.2 apache#8878 Reviewers: O1139 Druid, jgu, itallam Reviewed By: O1139 Druid, jgu, itallam Subscribers: jenkins, shawncao, #realtime-analytics Differential Revision: https://phabricator.pinadmin.com/D823708
Fixes #4798.
Fixes #6347.
Description
Security vulnerabilities addressed by upgrading 3rd party libs:
Note that if users are using JDBC lookups with postgres, they may need to update the JDBC jar used by the lookup extension.
This PR has: