Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAK-10441: exclude snakeyaml from oak-search-elastic #1110

Merged
merged 3 commits into from
Sep 11, 2023
Merged

OAK-10441: exclude snakeyaml from oak-search-elastic #1110

merged 3 commits into from
Sep 11, 2023

Conversation

fabriziofortino
Copy link
Contributor

@fabriziofortino fabriziofortino commented Sep 8, 2023
edited

https://nvd.nist.gov/vuln/detail/CVE-2022-1471

snakeyaml 1.33 is vulnerable to remote code execution. A better solution would be to get rid of the es high-level client completely. This would require more time because of the changes needed to replace the bulk processor.

We can safely exclude this dependency since it's not used in our codebase.

As part of this PR, the es clients have been updated to the latest patch release.

nfsantos
nfsantos reviewed Sep 8, 2023
View reviewed changes
oak-search-elastic/pom.xml Outdated Show resolved Hide resolved
@fabriziofortino fabriziofortino changed the title OAK-10441: exclude snakeyaml OAK-10441: exclude snakeyaml from oak-search-elastic Sep 8, 2023
@fabriziofortino fabriziofortino merged commit e13a933 into apache:trunk Sep 11, 2023
1 of 2 checks passed
@fabriziofortino fabriziofortino deleted the OAK-10441 branch September 11, 2023 08:51
reschke added a commit that referenced this pull request Sep 11, 2023
@reschke
Revert "OAK-10441: exclude snakeyaml from oak-search-elastic (#1110)"
2a0ecd4 
This reverts commit e13a933.
fabriziofortino added a commit to fabriziofortino/jackrabbit-oak that referenced this pull request Sep 12, 2023
@fabriziofortino
Revert "Revert "OAK-10441: exclude snakeyaml from oak-search-elastic (a…
062d6b1 
…pache#1110)""

This reverts commit 2a0ecd4.
@fabriziofortino fabriziofortino mentioned this pull request Sep 12, 2023
Merged
fabriziofortino added a commit that referenced this pull request Sep 13, 2023
@fabriziofortino
OAK-10441: exclude snakeyaml from oak-search-elastic (#1116)
ab25332 
* Revert "Revert "OAK-10441: exclude snakeyaml from oak-search-elastic (#1110)""

This reverts commit 2a0ecd4.

* OAK-10441: exclude package org.yaml.snakeyam.*
mbaedke pushed a commit that referenced this pull request Sep 19, 2023
@fabriziofortino @mbaedke
OAK-10441: exclude snakeyaml from oak-search-elastic (#1110)
f2d6d1e 
* OAK-10441: exclude snakeyaml

* OAK-10441: upgrade elasticsearch-java to 8.7.1

* OAK-10324: setup elastiknn 8.7.1.0
mbaedke pushed a commit that referenced this pull request Sep 19, 2023
@reschke @mbaedke
Revert "OAK-10441: exclude snakeyaml from oak-search-elastic (#1110)"
80b7544 
This reverts commit e13a933.
mbaedke pushed a commit that referenced this pull request Sep 19, 2023
@fabriziofortino @mbaedke
OAK-10441: exclude snakeyaml from oak-search-elastic (#1116)
67629b6 
* Revert "Revert "OAK-10441: exclude snakeyaml from oak-search-elastic (#1110)""

This reverts commit 2a0ecd4.

* OAK-10441: exclude package org.yaml.snakeyam.*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joerghoh joerghoh joerghoh approved these changes

@nfsantos nfsantos nfsantos approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@fabriziofortino @joerghoh @nfsantos