Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BACKPORT] Fix CVEs for zookeeper, nimbus-jose-jwt and netty4 #204

Merged
merged 4 commits into from
Jun 3, 2024
Merged

[BACKPORT] Fix CVEs for zookeeper, nimbus-jose-jwt and netty4 #204

merged 4 commits into from
Jun 3, 2024

Conversation

pagrawal10
Copy link

This PR backports these commits from upstream:

These are needed to fix CVEs present in the current image.

Fixes #XXXX.

Description

Fixed the bug ...

Renamed the class ...

Added a forbidden-apis entry ...

Release note

For tips about how to write a good release note, see Release notes.

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

georgew5656 and others added 3 commits June 1, 2024 09:29
@georgew5656 @abhishekagarwal87
@317brian @pagrawal10
Azure client upgrade to allow identity options (apache#15287)
930dcb5 
* Include new dependencies

* Mostly implemented

* More azure fixes

* Tests passing

* Unit tests running

* Test running after removing storage exception

* Happy with coverage now

* Add more tests

* fix client factory

* cleanup from testing

* Remove old client

* update docs

* Exclude from spellcheck

* Add licenses

* Fix identity version

* Save work

* Add azure clients

* add licenses

* typos

* Add dependencies

* Exception is not thrown

* Fix intellij check

* Don't need to override

* specify length

* urldecode

* encode path

* Fix checks

* Revert urlencode changes

* Urlencode with azure library

* Update docs/development/extensions-core/azure.md

Co-authored-by: Abhishek Agarwal <[email protected]>

* PR changes

* Update docs/development/extensions-core/azure.md

Co-authored-by: 317brian <[email protected]>

* Deprecate AzureTaskLogsConfig.maxRetries

* Clean up azure retry block

* logic update to reuse clients

* fix comments

* Create container conditionally

* Fix key auth

* Remove container client logic

* Add some more testing

* Update comments

* Add a comment explaining client reuse

* Move logic to factory class

* use bom for dependency management

* fix license versions

---------

Co-authored-by: Abhishek Agarwal <[email protected]>
Co-authored-by: 317brian <[email protected]>
@janjwerner-confluent @pagrawal10
update netty and zookeeper dependencies to address CVEs (apache#16267)
8540445 
 Update dependencies to address CVEs:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944

Release notes:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944
@pagrawal10
[CVE Fixes] Update version of Nimbus.jose.jwt (apache#16320)
91aaac4 
* Update version of nimbus.jose.jwt.version

* update licenses.yaml
@pagrawal10 pagrawal10 requested review from a team as code owners June 1, 2024 04:05
@cla-assistant CLA Assistant
Copy link

cla-assistant bot commented Jun 1, 2024

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
2 out of 3 committers have signed the CLA.

✅ janjwerner-confluent
✅ pagrawal10
❌ georgew5656
You have signed the CLA already but the status is still pending? Let us recheck it.

@pagrawal10 pagrawal10 enabled auto-merge (rebase) June 1, 2024 04:07
rbankar7
rbankar7 previously approved these changes Jun 1, 2024
View reviewed changes
@janjwerner-confluent @pagrawal10
update dependencies to address CVEs (apache#16374)
f4edde5 
update dependencies to address new batch of CVEs:
- Azure POM from 1.2.19 to 1.2.23 to update transitive dependency nimbus-jose-jwt to address:  CVE-2023-52428
- commons-configuration2 from 2.8.0 to 2.10.1 to address: CVE-2024-29131 CVE-2024-29133
- bcpkix-jdk18on from 1.76 to 1.78.1 to address: CVE-2024-30172 CVE-2024-30171 CVE-2024-29857
@pagrawal10 pagrawal10 force-pushed the pagrawal/CONMON-5478 branch from 1c0251c to f4edde5 Compare June 2, 2024 17:21
@pagrawal10 pagrawal10 merged commit e21523d into 28.0.1-confluent Jun 3, 2024
1 of 2 checks passed
@pagrawal10 pagrawal10 deleted the pagrawal/CONMON-5478 branch June 3, 2024 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rbankar7 rbankar7 rbankar7 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pagrawal10 @rbankar7 @georgew5656 @janjwerner-confluent