[
https://issues.apache.org/jira/browse/HUDI-3819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17521222#comment-17521222
]
Sagar Sumit commented on HUDI-3819:
-----------------------------------
So, as I mentioned before, v 2.0.1.RELEASE is still not patched. It still pulls
in spring-core or spring-beans 4.3.12.RELEASE
{code:java}
[INFO] +-
org.springframework.shell:spring-shell-starter:jar:2.0.1.RELEASE:compile
[INFO] | +-
org.springframework.shell:spring-shell-core:jar:2.0.1.RELEASE:compile
[INFO] | | +-
org.springframework.boot:spring-boot-starter:jar:1.5.8.RELEASE:compile
[INFO] | | | +-
org.springframework.boot:spring-boot:jar:1.5.8.RELEASE:compile
[INFO] | | | | \-
org.springframework:spring-context:jar:4.3.12.RELEASE:compile
[INFO] | | | | +-
org.springframework:spring-aop:jar:4.3.12.RELEASE:compile
[INFO] | | | | \-
org.springframework:spring-expression:jar:4.3.12.RELEASE:compile
[INFO] | | | +-
org.springframework.boot:spring-boot-autoconfigure:jar:1.5.8.RELEASE:compile
[INFO] | | | +-
org.springframework.boot:spring-boot-starter-logging:jar:1.5.8.RELEASE:compile
[INFO] | | | | +- ch.qos.logback:logback-classic:jar:1.1.11:compile
[INFO] | | | | | \- ch.qos.logback:logback-core:jar:1.1.11:compile
[INFO] | | | | \- org.slf4j:log4j-over-slf4j:jar:1.7.25:compile
[INFO] | | | +- org.springframework:spring-core:jar:4.3.12.RELEASE:compile
[INFO] | | | \- org.yaml:snakeyaml:jar:1.17:runtime
[INFO] | | +-
org.springframework.boot:spring-boot-starter-validation:jar:1.5.8.RELEASE:compile
[INFO] | | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.23:compile
[INFO] | | | \- org.hibernate:hibernate-validator:jar:5.3.5.Final:compile
[INFO] | | | +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] | | | \- com.fasterxml:classmate:jar:1.3.1:compile
[INFO] | | +- org.jline:jline:jar:3.4.0:compile
[INFO] | | \- org.jline:jline-terminal-jna:jar:3.4.0:runtime
[INFO] | | +- net.java.dev.jna:jna:jar:4.2.2:runtime
[INFO] | | \- org.jline:jline-terminal:jar:3.4.0:runtime
[INFO] | +-
org.springframework.shell:spring-shell-standard:jar:2.0.1.RELEASE:compile
[INFO] | +-
org.springframework.shell:spring-shell-standard-commands:jar:2.0.1.RELEASE:compile
[INFO] | +-
org.springframework.shell:spring-shell-shell1-adapter:jar:2.0.1.RELEASE:compile
[INFO] | +-
org.springframework.shell:spring-shell-jcommander-adapter:jar:2.0.1.RELEASE:compile
[INFO] | \-
org.springframework.shell:spring-shell-table:jar:2.0.1.RELEASE:compile
[INFO] | \- org.springframework:spring-beans:jar:4.3.12.RELEASE:compile
{code}
> upgrade spring cve-2022-22965
> -----------------------------
>
> Key: HUDI-3819
> URL: https://issues.apache.org/jira/browse/HUDI-3819
> Project: Apache Hudi
> Issue Type: Bug
> Components: cli
> Affects Versions: 0.9.0, 0.10.1
> Reporter: Jason-Morries Adam
> Assignee: Sagar Sumit
> Priority: Blocker
> Labels: pull-request-available
> Fix For: 0.11.0
>
>
> We should upgrade the Spring Framework version at Hudi CLI because of
> cve-2022-22965. The Qualys Scanner finds these packages and raises a warning
> because of the existence of these files on the system.
> The found files are:
> /usr/lib/hudi/cli/lib/spring-beans-4.2.4.RELEASE.jar
> /usr/lib/hudi/cli/lib/spring-core-4.2.4.RELEASE.jar
> More Information:
> Spring Framework: https://spring.io/projects/spring-framework
> Spring project spring-framework release notes:
> https://github.com/spring-projects/spring-framework/releases
> CVE-2022-22965: https://tanzu.vmware.com/security/cve-2022-22965
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
