[BackPort]: CVE Fixes from Upstream #174
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
Pankaj260100
force-pushed
the
pankaj/FixCVEs
branch
from
3b2f1a3 to
a5b3837
Compare
Pankaj260100
changed the title
Pankaj260100
changed the base branch from
28.0.1-confluent
to
28.0.0-confluent
Pankaj260100
changed the base branch from
28.0.0-confluent
to
28.0.1-confluent
Pankaj260100
force-pushed
the
pankaj/FixCVEs
branch
from
eaede8e to
3cb7afd
Compare
|
Let's make sure we "rebase and merge for this PR" and DO NOT squash. Otherwise it will be very hard to keep track of which patches we have merged or not, and make it hard to revert if some cause unexpected issues. |
|
@Pankaj260100 can you update the PR description to include the set of patches you are backporting? Right now the description only lists one, but I see others. |
Pankaj260100
changed the base branch from
28.0.1-confluent
to
28.0.0-confluent
pagrawal10
approved these changes
Dec 19, 2023
Pankaj260100
force-pushed
the
pankaj/FixCVEs
branch
from
8d55d3c to
3cb7afd
Compare
KeerthanaSrikanth
approved these changes
Dec 19, 2023
Pankaj260100
force-pushed
the
pankaj/FixCVEs
branch
from
22ac1d6 to
3cb7afd
Compare
apache#15363) Patched security vulnerability by updating Ranger libraries to the newest available version.
…15441) * update confluent's dependencies to common, supported version Update io.confluent.* dependencies to common, updated version 6.2.12 currently used versions are EOL * move version definition to the top level pom
…pache#15443) Recent upgrade of ranger introduced CVE regressions due to outdated elasticsearch components. Druid-ranger-plugin does not elasticsearch components , and they have been explicitly removed. Update woodstox-core to 6.4.0 to address GHSA-3f7h-mf4q-vrm4
Update multiple dependencies to clear CVEs Update dropwizard-metrics to 4.2.22 to address GHSA-mm8h-8587-p46h in com.rabbitmq:amqp-client Update ant to 1.10.14 to resolve GHSA-f62v-xpxf-3v68 GHSA-4p6w-m9wc-c9c9 GHSA-q5r4-cfpx-h6fh GHSA-5v34-g2px-j4fw Update comomons-compress to resolve GHSA-cgwf-w82q-5jrr Update jose4j to 0.9.3 to resolve GHSA-7g24-qg88-p43q GHSA-jgvc-jfgh-rjvv Update kotlin-stdlib to 1.6.0 to resolve GHSA-cqj8-47ch-rvvq and CVE-2022-24329
Update guava to 32.0.1-jre to address two CVEs: CVE-2020-8908, CVE-2023-2976 This change requires a minor test change to remove assumptions about ordering. --------- Co-authored-by: Xavier Léauté <[email protected]>
…che#15446) - Licenses file contains several licenses for outdated libraries. In this PR we remove licenses for no longer used components. This change is purely cosmetic / cleans up the license database. The candidates were designated by reviewing the output of the license check script and comparing it against the depdency tree. - Minor fix to license check tool to fail more gracefully when the license of used dependency is not listed as known, as well as fix not to fail on multi licensed components when at least one of the licenses is accepted. --------- Co-authored-by: Xavier Léauté <[email protected]>
Upgrade Jackson to version 2.12.7.1 to address CVE-2022-42003, CVE-2022-42004 which affects jackson-databind. Upgrade com.google.code.gson:gson from 2.2.4 to the latest version (2.10.1) since 2.2.4 is affected by CVE-2022-25647.
…ion (apache#15481) * Excluding jackson-jaxrs dependency from ranger-plugin-common to address CVE regression introduced by ranger-upgrade: CVE-2019-10202, CVE-2019-10172 * remove the reference to outdated ranger 2.0 from the docs --------- Co-authored-by: Xavier Léauté <[email protected]>
This change completes the change introduced in apache#15461 and unifies the version of gson dependency used between all the modules. gson is used by kubernetes-extension, avro-extensions, ranger-security, and as a test dependency in several core modules. --------- Co-authored-by: Xavier Léauté <[email protected]>
…che#15449) Update of direct dependencies: * kubernetes java-client to 19.0.0 * docker-java-bom to 3.3.4 In order to update transitive dependencies: * okio to 3.6.0 * bcjava to 1.76 To address CVES: - CVE-2023-3635 in okio - CVE-2023-33201 in bcjava --------- Co-authored-by: Xavier Léauté <[email protected]>
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
* unpin snakeyaml globally, add suppressions and licenses * pin snakeyaml in the specific modules that require version 1.x, update licenses and owasp suppression This removes the pin of the Snakeyaml introduced in: apache#14519 After the updates of io.kubernetes.java-client and io.confluent.kafka-clients, the only uses of the Snakeyaml 1.x are: - in test scope, transitive dependency of jackson-dataformat-yaml:jar:2.12.7 - in compile scope in contrib extension druid-cassandra-storage - in compile scope in it-tests. With the dependency version un-pinned, io.kubernetes.java-client and io.confluent.kafka-clients bring Snakeyaml versions 2.0 and 2.2, consequently allowing to build a Druid distribution without the contrib-extension and free of vulnerable Snakeyaml versions.
Pankaj260100
force-pushed
the
pankaj/FixCVEs
branch
from
3cb7afd to
1f289c9
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backporting Changes:
One extra commit 3cb7afd to fix test cases, These test cases start failing because of apache#15482