Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Upgrade commons-compress to 1.26.0 #22086

Merged
merged 2 commits into from
Feb 21, 2024
Merged

[fix][sec] Upgrade commons-compress to 1.26.0 #22086

merged 2 commits into from
Feb 21, 2024

Conversation

massakam
Copy link
Contributor

@massakam massakam commented Feb 21, 2024
edited
Loading

Motivation

commons-compress 1.21 has the following vulnerability and should be upgraded to 1.26.0.
https://nvd.nist.gov/vuln/detail/CVE-2024-25710

Verifying this change

  • Make sure that the change passes the CI checks.

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@massakam massakam added type/bug The PR fixed a bug or issue reported a bug area/security doc-not-needed Your PR changes do not impact docs ready-to-test labels Feb 21, 2024
@massakam massakam added this to the 3.3.0 milestone Feb 21, 2024
@massakam massakam self-assigned this Feb 21, 2024
@massakam massakam mentioned this pull request Feb 21, 2024
Closed
@lhotari
Copy link
Member

lhotari commented Feb 21, 2024

JavaInstanceDepsTest seems to be failing. Please take a look.

lhotari
lhotari approved these changes Feb 21, 2024
View reviewed changes
Copy link
Member

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@massakam
Copy link
Contributor Author

commons-compress v1.21 has no dependencies on other libraries, but v1.26.0 has dependencies on commons-io and commons-lang3, which seems to cause JavaInstanceDepsTest to fail.

[INFO] +- org.apache.commons:commons-compress:jar:1.26.0:compile
[INFO] |  +- commons-io:commons-io:jar:2.15.1:compile
[INFO] |  \- org.apache.commons:commons-lang3:jar:3.14.0:compile

Therefore, I modified JavaInstanceDepsTest so that the test passes even if java-instance.jar includes classes from these libraries. Please let me know if this change is incorrect.

@lhotari
Copy link
Member

lhotari commented Feb 21, 2024

commons-compress v1.21 has no dependencies on other libraries, but v1.26.0 has dependencies on commons-io and commons-lang3, which seems to cause JavaInstanceDepsTest to fail.

[INFO] +- org.apache.commons:commons-compress:jar:1.26.0:compile
[INFO] |  +- commons-io:commons-io:jar:2.15.1:compile
[INFO] |  \- org.apache.commons:commons-lang3:jar:3.14.0:compile

Therefore, I modified JavaInstanceDepsTest so that the test passes even if java-instance.jar includes classes from these libraries. Please let me know if this change is incorrect.

@massakam Makes sense. Thanks for addressing this.

@lhotari lhotari merged commit 613a771 into apache:master Feb 21, 2024
52 of 53 checks passed
@massakam massakam deleted the bump-commons-compress branch February 21, 2024 09:52
lhotari pushed a commit that referenced this pull request Feb 21, 2024
@massakam @lhotari
[fix][sec] Upgrade commons-compress to 1.26.0 (#22086)
f01a3a5 
(cherry picked from commit 613a771)
lhotari pushed a commit that referenced this pull request Feb 21, 2024
@massakam @lhotari
[fix][sec] Upgrade commons-compress to 1.26.0 (#22086)
e896023 
(cherry picked from commit 613a771)
lhotari pushed a commit that referenced this pull request Feb 21, 2024
@massakam @lhotari
[fix][sec] Upgrade commons-compress to 1.26.0 (#22086)
556ff18 
(cherry picked from commit 613a771)
lhotari pushed a commit that referenced this pull request Feb 21, 2024
@massakam @lhotari
[fix][sec] Upgrade commons-compress to 1.26.0 (#22086)
53fc9e9 
(cherry picked from commit 613a771)
lhotari pushed a commit that referenced this pull request Feb 21, 2024
@massakam @lhotari
[fix][sec] Upgrade commons-compress to 1.26.0 (#22086)
179016b 
(cherry picked from commit 613a771)
nodece pushed a commit to nodece/pulsar that referenced this pull request Feb 23, 2024
@massakam @nodece
[fix][sec] Upgrade commons-compress to 1.26.0 (apache#22086)
c43645f 
(cherry picked from commit 613a771)
mukesh-ctds pushed a commit to datastax/pulsar that referenced this pull request Mar 1, 2024
@massakam @mukesh-ctds
[fix][sec] Upgrade commons-compress to 1.26.0 (apache#22086)
bfbaee2 
(cherry picked from commit 613a771)
(cherry picked from commit e896023)
mukesh-ctds pushed a commit to datastax/pulsar that referenced this pull request Mar 6, 2024
@massakam @mukesh-ctds
[fix][sec] Upgrade commons-compress to 1.26.0 (apache#22086)
25a0a7f 
(cherry picked from commit 613a771)
(cherry picked from commit e896023)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dao-jun dao-jun dao-jun approved these changes

@RobertIndie RobertIndie RobertIndie approved these changes

@lhotari lhotari lhotari approved these changes

Assignees

@massakam massakam

Labels
area/security cherry-picked/branch-2.10 cherry-picked/branch-2.11 cherry-picked/branch-3.0 cherry-picked/branch-3.1 cherry-picked/branch-3.2 doc-not-needed Your PR changes do not impact docs ready-to-test release/2.10.6 release/2.11.4 release/3.0.3 release/3.1.3 release/3.2.1 type/bug The PR fixed a bug or issue reported a bug
Projects
None yet
Milestone
3.3.0
Development

Successfully merging this pull request may close these issues.
4 participants
@massakam @lhotari @RobertIndie @dao-jun