Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Infinispan in all active Jetty branches #6687

Closed
joakime opened this issue Sep 1, 2021 · 5 comments · Fixed by #6766
Closed

Upgrade Infinispan in all active Jetty branches #6687

joakime opened this issue Sep 1, 2021 · 5 comments · Fixed by #6766
Labels
Bug For general bugs on Jetty side
Projects
Jetty 10.0.7/11.0.7 FROZEN Jetty 9.4.45 - FROZEN

Comments

@joakime
Copy link
Contributor

joakime commented Sep 1, 2021
edited

Jetty version(s)
9.4.x, 10.0.x, and 11.0.x

Description

Our usage of infinispan is getting long in the tooth.

We have Infinispan 9.4.8.Final in all of our branches.
Which uses Hibernate 5.10.3.Final

Infinispan version 9.4.8.Final is subject to CVE-2019-10158, and CVE-2019-10174.

Infinispan version 12.1.7.Final has been released

We need to upgrade, and should at least skip Infinispan 10.x and start investigating using version 11.x or newer. (There are a few CVEs in the infinispan 10.x series we want to avoid as well)

It should be noted that the Docker Hub for infinispan has also moved.

We are using jboss/infinispan-server, but the new location is infinispan/server
@joakime joakime added the Bug For general bugs on Jetty side label Sep 1, 2021
@joakime
Copy link
Contributor Author

joakime commented Sep 1, 2021
edited

Also, about our Hibernate version, all version of Hibernate up to version 5.4.23.Final have multiple vulnerabilities.
Fixed in Hibernate version 6.0.18.Final and 6.1.0.Final

Our hibernate usage is tied to our infinispan usage, so upgrading infinispan to version might not be sufficient.

Eg: Infinispan 12.1.7.Final is using Hibernate 6.0.2.Final, so we'll need to manually upgrade hibernate as well.

@joakime joakime mentioned this issue Sep 1, 2021
Closed
@olamy
Copy link
Member

olamy commented Sep 1, 2021

see some work started here #6057
maybe we can close #5711

@olamy olamy mentioned this issue Sep 1, 2021
Closed
@janbartel
Copy link
Contributor

I think this might potentially be difficult: there's a chance that infinispan has changed to use their own threads for reads and maybe not allow a classloader to be set on them ... see my last comment on #6057

janbartel added a commit that referenced this issue Sep 10, 2021
@janbartel
Issue #6687 Update to infinispan 11.0.11
dfacef3 
Signed-off-by: Jan Bartel <janb@webtide.com>
janbartel added a commit that referenced this issue Sep 11, 2021
@janbartel
Issue #6687 Update to infinispan 11.0.11
33c9fc3 
Signed-off-by: Jan Bartel <janb@webtide.com>
@joakime joakime mentioned this issue Sep 14, 2021
Closed
olamy pushed a commit that referenced this issue Sep 19, 2021
@janbartel @olamy
Issue #6687 Update to infinispan 11.0.11
1f1b0d9 
Signed-off-by: Jan Bartel <janb@webtide.com>
olamy pushed a commit that referenced this issue Sep 19, 2021
@janbartel @olamy
Issue #6687 Update to infinispan 11.0.11
ed64f9c 
Signed-off-by: Jan Bartel <janb@webtide.com>
@joakime joakime linked a pull request Sep 20, 2021 that will close this issue
Jetty 10.0.x 6687 upgrade infinispan #6766
Merged
@joakime joakime added this to To do in Jetty 10.0.7/11.0.7 FROZEN via automation Sep 20, 2021
@joakime joakime moved this from To do to In progress in Jetty 10.0.7/11.0.7 FROZEN Sep 20, 2021
Jetty 10.0.7/11.0.7 FROZEN automation moved this from In progress to Done Sep 21, 2021
janbartel added a commit that referenced this issue Sep 21, 2021
@janbartel @olamy
Jetty 10.0.x 6687 upgrade infinispan (#6766)
d3bfb61 
* Issue #6687 Update to infinispan 11.0.11

Signed-off-by: Jan Bartel <janb@webtide.com>


* fix upperbound dependency
* use infinispan bom

Signed-off-by: Olivier Lamy <oliver.lamy@gmail.com>

Co-authored-by: Olivier Lamy <oliver.lamy@gmail.com>
@janbartel janbartel reopened this Sep 21, 2021
Jetty 10.0.7/11.0.7 FROZEN automation moved this from Done to In progress Sep 21, 2021
@janbartel
Copy link
Contributor

Updated to infinispan version 11.0.11 for jetty-10 and jetty-11 via PR #6766

@gregw gregw moved this from In progress to Done in Jetty 10.0.7/11.0.7 FROZEN Sep 21, 2021
@gregw gregw added this to To do in Jetty 9.4.44 FROZEN via automation Sep 21, 2021
@gregw gregw moved this from To do to In progress in Jetty 9.4.44 FROZEN Sep 21, 2021
janbartel added a commit that referenced this issue Sep 22, 2021
@janbartel @olamy
Jetty 10.0.x 6687 upgrade infinispan (#6766)
8dd3ca6 
* Issue #6687 Update to infinispan 11.0.11

Signed-off-by: Jan Bartel <janb@webtide.com>

* fix upperbound dependency
* use infinispan bom

Signed-off-by: Olivier Lamy <oliver.lamy@gmail.com>

Co-authored-by: Olivier Lamy <oliver.lamy@gmail.com>
@gregw gregw removed this from In progress in Jetty 9.4.44 FROZEN Sep 22, 2021
@gregw gregw added this to To do in Jetty 9.4.45 - FROZEN via automation Sep 22, 2021
janbartel added a commit that referenced this issue Oct 7, 2021
@janbartel
Issue #6687 Update after review
7915015
janbartel added a commit that referenced this issue Oct 7, 2021
@janbartel @olamy
Cherry pick update to infinispan 11.0.11 back to jetty-9.4.x(#6766) (#…
4aed1f3 
…6889)

* Issue #6687 Update to infinispan 11.0.11

Signed-off-by: Jan Bartel <janb@webtide.com>
Co-authored-by: Olivier Lamy <oliver.lamy@gmail.com>
@janbartel
Copy link
Contributor

Done.

Jetty 9.4.45 - FROZEN automation moved this from To do to Done Oct 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug For general bugs on Jetty side
Projects
No open projects
Jetty 10.0.7/11.0.7 FROZEN
Done
Jetty 9.4.45 - FROZEN
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Jetty 10.0.x 6687 upgrade infinispan jetty/jetty.project
3 participants
@olamy @joakime @janbartel