-
1. Re: security vulnerabilities in TEIID embedded 9.0.1
rareddy Oct 12, 2016 9:34 AM (in response to durgadatta)You start by adding a JIRA, then you can work on it and submit a patch we will evaluate it and accept the changes. Since 9.0.1 is already been there for little while, they may have to included with 9.1 (being released THIS week).
Ramesh..
-
2. Re: security vulnerabilities in TEIID embedded 9.0.1
shawkins Oct 12, 2016 12:27 PM (in response to rareddy)These are transitive dependencies that typically have managed overrides from wildfly. For example xalan usage in 9.0.1 should resolve to version 2.7.1.jbossorg-1 instead. Can you share the details of your pom that is pulling in the undesirable dependencies?
-
3. Re: security vulnerabilities in TEIID embedded 9.0.1
durgadatta Oct 13, 2016 3:38 AM (in response to shawkins)Hi Steven,
I have attached the pom.xml that I used for teiid pulgin, PFA .
In teiid pom its using XOM and the XOM internally using the xalan 2.7.0,
I have added the exlusion in our pom for xalan .
But for other i.e httpclient-4.3.2.jar and Spring Framework 3.2.12 , the vulnerabilities fixed in their latest version (to httpclient-4.5.2 and httpcore-4.4.4 and spring -3.2.16
)
Thanks,
Durga
-
pom.xml.zip 400 bytes
-
-
4. Re: security vulnerabilities in TEIID embedded 9.0.1
durgadatta Oct 13, 2016 8:55 AM (in response to durgadatta)Just for quick solution I was trying to override the dependencies in my pom.xml for Spring and http client , and I am able to build it with latest version of dependencies . do you think it will have any hidden problem ?
I added follwing dependencies in my pom.xml to override
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpcore</artifactId>
<version>4.4.4</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.2</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>3.2.16.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>3.2.16.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>3.2.16.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-expression</artifactId>
<version>3.2.16.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>3.2.16.RELEASE</version>
</dependency>
Thanks,
Durga
-
5. Re: security vulnerabilities in TEIID embedded 9.0.1
rareddy Oct 13, 2016 11:02 AM (in response to durgadatta)All these resources are used typically used with either "webservices" translator or Salesforce translator. So if you want to make the functionality then report back that would be fine. The httpclient ones are used only in Salesforce, and Spring is used in both and has very limited role, so there should not be much of an issue with that.
-
6. Re: security vulnerabilities in TEIID embedded 9.0.1
shawkins Oct 13, 2016 12:42 PM (in response to rareddy)In your pom you can use the same managed dependencies as the container by including the following in dependencyManagement:
<dependency> <groupId>org.wildfly.core</groupId> <artifactId>wildfly-core-parent</artifactId> <type>pom</type> <version>${version.org.wildfly.core}</version> <scope>import</scope> </dependency> <dependency> <groupId>org.wildfly</groupId> <artifactId>wildfly-parent</artifactId> <type>pom</type> <version>${version.org.wildfly}</version> <scope>import</scope> </dependency>
For 9.0.1, you would use the versions:
<version.org.wildfly>9.0.2.Final</version.org.wildfly> <version.org.wildfly.core>1.0.1.Final</version.org.wildfly.core>
Of course as Ramesh suggests you can selectively override as well. But I think we need to promote the usage of the WildFly dependencies out of the box, can you open an issue for this?
-
7. Re: security vulnerabilities in TEIID embedded 9.0.1
durgadatta Oct 14, 2016 4:21 AM (in response to shawkins)