Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade avro & its dependencies to resolve CVEs #23943

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Upgrade avro & its dependencies to resolve CVEs #23943

wants to merge 1 commit into from
+16 −11

Conversation

infvg
Copy link
Contributor

@infvg infvg commented Nov 4, 2024
edited
Loading

Description

Upgraded avro to version 1.11.4 to resolve CVE-2024-47561
Upgraded commons-compress to version 1.26.2
Upgraded commons-codec to version 1.17.0
Upgraded commons-lang3 to version 3.14.0
Upgraded commons-io to version 2.16.1

This also resolves the issue faced that caused the previous revert:
#23931

Motivation and Context

This upgrade was created to deal with CVEs found in lower versions

Impact

None

Release Notes

== RELEASE NOTES ==

General Changes
* Upgrade avro to version 1.11.4 :pr:`23868`
* Upgrade commons-compress to version 1.26.2 :pr:`23868`
* Upgrade commons-codec to version 1.17.0 :pr:`23868`
* Upgrade commons-lang3 to version 3.14.0 :pr:`23868`
* Upgrade commons-io to version 2.16.1 :pr:`23868`

@infvg
Upgrade avro & its dependencies to resolve CVEs
13efe02 
Upgrade avro & its dependencies to resolve CVE-2024-47561
If applied, this will:
Upgrade avro to version 1.11.4
Upgrade commons-compress to version 1.26.2
Upgrade commons-codec to version 1.17.0
Upgrade commons-lang3 to version 3.14.0
Upgrade commons-io to version 2.16.1
@steveburnett
Copy link
Contributor

Thanks for the release note entry! Nit to use present tense instead of past tense, as shown in the Order of changes.

== RELEASE NOTES ==

General Changes
* Upgrade avro to version 1.11.4 :pr:`23868`
* Upgrade commons-compress to version 1.26.2 :pr:`23868`
* Upgrade commons-codec to version 1.17.0 :pr:`23868`
* Upgrade commons-lang3 to version 3.14.0 :pr:`23868`
* Upgrade commons-io to version 2.16.1 :pr:`23868`

@infvg infvg marked this pull request as ready for review November 4, 2024 17:55
@infvg infvg requested a review from a team as a code owner November 4, 2024 17:55
@infvg infvg requested a review from presto-oss November 4, 2024 17:55
@infvg
Copy link
Contributor Author

infvg commented Nov 4, 2024

@konjac-h @rschlussel could you please test this commit to make sure it works with Meta's internal module? Thank you
cc: @tdcmeehan

@konjac-h
Copy link
Contributor

konjac-h commented Nov 7, 2024

@infvg the current PR is still failing the module. I will see what I can do either taking over the change or have a duplicate dummy module in presto repo for you to test it. Let me get back to you later this week

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@infvg @steveburnett @konjac-h