[
https://issues.apache.org/jira/browse/FLINK-8156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16275882#comment-16275882
]
ASF GitHub Bot commented on FLINK-8156:
---------------------------------------
GitHub user yew1eb opened a pull request:
https://github.com/apache/flink/pull/5113
[FLINK-8156][build] Bump commons-beanutils version to 1.9.3
## What is the purpose of the change
Commons-beanutils v1.8.0 dependency is not security compliant. See
[CVE-2014-0114](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114)
> Apache Commons BeanUtils, as distributed in
lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in
other products requiring commons-beanutils through 1.9.2, does not suppress the
class property, which allows remote attackers to "manipulate" the ClassLoader
and execute arbitrary code via the class parameter, as demonstrated by the
passing of this parameter to the getClass method of the ActionForm object in
Struts 1.
the version commons-beanutils 1.9.2 in turn has a CVE in its dependency
commons-collections
([CVE-2015-6420](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6420),
see [BEANUTILS-488](https://issues.apache.org/jira/browse/BEANUTILS-488)),
which is fixed in 1.9.3.
We should upgrade commons-beanutils from 1.8.3 to 1.9.3.
## Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): (**yes** / no)
- The public API, i.e., is any changed class annotated with
`@Public(Evolving)`: (yes / **no**)
- The serializers: (yes / **no** / don't know)
- The runtime per-record code paths (performance sensitive): (yes /
**no** / don't know)
- Anything that affects deployment or recovery: JobManager (and its
components), Checkpointing, Yarn/Mesos, ZooKeeper: (yes / **no** / don't know)
- The S3 file system connector: (yes / **no** / don't know)
## Documentation
- Does this pull request introduce a new feature? (yes / **no**)
- If yes, how is the feature documented? (not applicable / docs /
JavaDocs / not documented)
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/yew1eb/flink FLINK-8156
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/flink/pull/5113.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #5113
----
commit 5c188bc440eed0d50654709a929633a73e35cb56
Author: yew1eb <yew...@gmail.com>
Date: 2017-12-03T10:49:22Z
[FLINK-8156][build] Bump commons-beanutils version to 1.9.3
----
> Bump commons-beanutils version to 1.9.3
> ---------------------------------------
>
> Key: FLINK-8156
> URL: https://issues.apache.org/jira/browse/FLINK-8156
> Project: Flink
> Issue Type: Bug
> Components: Build System
> Affects Versions: 1.4.0
> Reporter: Hai Zhou UTC+8
> Assignee: Hai Zhou UTC+8
> Fix For: 1.5.0
>
>
> Commons-beanutils v1.8.0 dependency is not security compliant. See
> [CVE-2014-0114|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114]:
> {code:java}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar
> in Apache Struts 1.x through 1.3.10 and in other products requiring
> commons-beanutils through 1.9.2, does not suppress the class property, which
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary
> code via the class parameter, as demonstrated by the passing of this
> parameter to the getClass method of the ActionForm object in Struts 1.
> {code}
> Note that current version commons-beanutils 1.9.2 in turn has a CVE in its
> dependency commons-collections (CVE-2015-6420, see BEANUTILS-488), which is
> fixed in 1.9.3.
> We should upgrade {{commons-beanutils}} from 1.8.3 to 1.9.3
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
