fix build by updating kafka client to 2.2.2 for CVE-2019-12399 #9259
Conversation
| @@ -78,7 +78,7 @@ | |||
| <aether.version>0.9.0.M2</aether.version> | |||
| <apache.curator.version>4.1.0</apache.curator.version> | |||
| <apache.curator.test.version>2.12.0</apache.curator.test.version> | |||
| <apache.kafka.version>2.1.1</apache.kafka.version> | |||
| <apache.kafka.version>2.2.2</apache.kafka.version> | |||
There was a problem hiding this comment.
Can you also update extensions-core/kafka-indexing-service to use this version as well please
I had a PR to consolidate the kafka version, but never got around to fully testing it - https://github.com/apache/druid/pull/9117/files
There was a problem hiding this comment.
Ah, missed that it still had a special version property defined distinct from the parent pom, removed.
|
I wonder if there is a better way we can handle this than randomly failing unrelated PRs whenever a CVE pops up, because that is sort of lame behavior ... |
licenses.yaml
Outdated
| license_category: binary | ||
| module: extensions/druid-kafka-indexing-service | ||
| module: extensions/druid-kafkakafka-indexing-service |
There was a problem hiding this comment.
hah oops, my search panel must not have opened when searching for other kafkas in this file... actually we need to update the notice section of this file too since this version was released 2019
There was a problem hiding this comment.
I wonder if there is a better way we can handle this than randomly failing unrelated PRs whenever a CVE pops up, because that is sort of lame behavior ...
+1 - it really should only prevent merging a PR when you're introducing a new vulnerability. It'd be nice if this ran nightly and filed issues for new CVEs that are being reported so we can go clean them up as needed
|
Didn't see this and made a similar PR (#9261) that has a slightly different change to TestKafkaExtractionCluster.java and doesn't have a typo in licenses.yaml |
Any idea which is the correct way to fix |
|
I think the changes to |
…e#9259) * fix build by updating kafka client to 2.2.2 for CVE-2019-12399 * one kafka version to rule them all * notice
…e#9259) * fix build by updating kafka client to 2.2.2 for CVE-2019-12399 * one kafka version to rule them all * notice
Travis seems to be failing due to https://nvd.nist.gov/vuln/detail/CVE-2019-12399, though a quick glance doesn't look like something that would affect us, other than the build failure.
To resolve, updates kafka-client to 2.2.2 which is not listed in the CVE, which required a minor change in
druid-kafka-extraction-namespacetests.