Upgrade third party libraries with security vulnerabilities (apache#3938

) * Upgrade jackson version to 2.9.8 * Upgrade commons-collections version to 1.10
willome · Mar 29, 2019 · c463a04 · c463a04
1 parent 534bddc
commit c463a04
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 20 deletions.
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -314,14 +314,14 @@ The Apache Software License, Version 2.0
  * Jackson
      - org.codehaus.jackson-jackson-core-asl-1.9.13.jar
      - org.codehaus.jackson-jackson-mapper-asl-1.9.13.jar
-     - com.fasterxml.jackson.core-jackson-annotations-2.9.7.jar
-     - com.fasterxml.jackson.core-jackson-core-2.9.7.jar
-     - com.fasterxml.jackson.core-jackson-databind-2.9.7.jar
-     - com.fasterxml.jackson.dataformat-jackson-dataformat-yaml-2.9.7.jar
-     - com.fasterxml.jackson.jaxrs-jackson-jaxrs-base-2.9.7.jar
-     - com.fasterxml.jackson.jaxrs-jackson-jaxrs-json-provider-2.9.7.jar
-     - com.fasterxml.jackson.module-jackson-module-jaxb-annotations-2.9.7.jar
-     - com.fasterxml.jackson.module-jackson-module-jsonSchema-2.9.7.jar
+     - com.fasterxml.jackson.core-jackson-annotations-2.9.8.jar
+     - com.fasterxml.jackson.core-jackson-core-2.9.8.jar
+     - com.fasterxml.jackson.core-jackson-databind-2.9.8.jar
+     - com.fasterxml.jackson.dataformat-jackson-dataformat-yaml-2.9.8.jar
+     - com.fasterxml.jackson.jaxrs-jackson-jaxrs-base-2.9.8.jar
+     - com.fasterxml.jackson.jaxrs-jackson-jaxrs-json-provider-2.9.8.jar
+     - com.fasterxml.jackson.module-jackson-module-jaxb-annotations-2.9.8.jar
+     - com.fasterxml.jackson.module-jackson-module-jsonSchema-2.9.8.jar
  * Caffeine -- com.github.ben-manes.caffeine-caffeine-2.6.2.jar
  * Proto Google Common Protos -- com.google.api.grpc-proto-google-common-protos-1.12.0.jar
  * Gson -- com.google.code.gson-gson-2.8.2.jar
@@ -335,15 +335,12 @@ The Apache Software License, Version 2.0
     - com.yahoo.datasketches-memory-0.8.3.jar
     - com.yahoo.datasketches-sketches-core-0.8.3.jar
  * Apache Commons
-    - commons-beanutils-commons-beanutils-1.7.0.jar
-    - commons-beanutils-commons-beanutils-core-1.8.0.jar
     - commons-cli-commons-cli-1.2.jar
     - commons-codec-commons-codec-1.10.jar
     - commons-collections-commons-collections-3.2.2.jar
-    - commons-configuration-commons-configuration-1.6.jar
-    - commons-digester-commons-digester-1.8.jar
+    - commons-configuration-commons-configuration-1.10.jar
     - commons-io-commons-io-2.5.jar
-    - commons-lang-commons-lang-2.4.jar
+    - commons-lang-commons-lang-2.6.jar
     - commons-logging-commons-logging-1.1.1.jar
     - org.apache.commons-commons-collections4-4.1.jar
     - org.apache.commons-commons-compress-1.15.jar

diff --git a/pom.xml b/pom.xml
@@ -159,7 +159,7 @@ flexible messaging model and an intuitive client API.</description>
     <commons.collections.version>3.2.2</commons.collections.version>
     <log4j2.version>2.10.0</log4j2.version>
     <bouncycastle.version>1.60</bouncycastle.version>
-    <jackson.version>2.9.7</jackson.version>
+    <jackson.version>2.9.8</jackson.version>
     <reflections.version>0.9.11</reflections.version>
     <swagger.version>1.5.21</swagger.version>
     <puppycrawl.checkstyle.version>6.19</puppycrawl.checkstyle.version>
@@ -471,7 +471,7 @@ flexible messaging model and an intuitive client API.</description>
       <dependency>
         <groupId>commons-configuration</groupId>
         <artifactId>commons-configuration</artifactId>
-        <version>1.6</version>
+        <version>1.10</version>
       </dependency>
 
       <dependency>

diff --git a/pulsar-broker/pom.xml b/pulsar-broker/pom.xml
@@ -39,6 +39,11 @@
       <artifactId>commons-codec</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>commons-collections</groupId>
+      <artifactId>commons-collections</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>

diff --git a/pulsar-sql/pom.xml b/pulsar-sql/pom.xml
@@ -35,7 +35,7 @@
         <jackson.version>2.8.11</jackson.version>
         <!--fix Security Vulnerabilities-->
         <!--https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html-->
-        <jackson.databind.version>2.8.11.1</jackson.databind.version>
+        <jackson.databind.version>2.8.11.3</jackson.databind.version>
     </properties>
 
     <modules>

diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
@@ -209,7 +209,7 @@ The Apache Software License, Version 2.0
 
   * Jackson
     - jackson-annotations-2.8.11.jar
-    - jackson-databind-2.8.11.1.jar
+    - jackson-databind-2.8.11.3.jar
     - jackson-dataformat-smile-2.8.11.jar
     - jackson-datatype-guava-2.8.11.jar
     - jackson-datatype-guava-2.8.11.jar
@@ -229,7 +229,6 @@ The Apache Software License, Version 2.0
     - guice-multibindings-4.2.0.jar
  * Apache Commons
     - commons-math3-3.6.1.jar
-    - commons-beanutils-core-1.8.0.jar
     - commons-beanutils-core-1.8.3.jar
     - commons-compress-1.15.jar
     - commons-lang3-3.3.2.jar

diff --git a/pulsar-sql/presto-distribution/pom.xml b/pulsar-sql/presto-distribution/pom.xml
@@ -45,7 +45,7 @@
         <jackson.version>2.8.11</jackson.version>
         <!--fix Security Vulnerabilities-->
         <!--https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html-->
-        <jackson.databind.version>2.8.11.1</jackson.databind.version>
+        <jackson.databind.version>2.8.11.3</jackson.databind.version>
     </properties>
 
     <dependencies>
@@ -242,4 +242,4 @@
             </extension>
         </extensions>
     </build>
-</project>
+</project>