Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2023-35165, CVE-2023-34455, CVE-2023-34453, CVE-2023-34454, C… #2948

Merged
merged 2 commits into from
Jun 29, 2023
Merged

Fix CVE-2023-35165, CVE-2023-34455, CVE-2023-34453, CVE-2023-34454, C… #2948

merged 2 commits into from
Jun 29, 2023

Conversation

asifsmohammed
Copy link
Collaborator

@asifsmohammed asifsmohammed commented Jun 28, 2023
edited
Loading

Description

Fixes CVE-2023-35165, CVE-2023-34455, CVE-2023-34453, CVE-2023-34454, CVE-2023-2976

Issues Resolved

resolves #2933, resolves #2924, resolves #2904, resolves #2903, resolves #2902, resolves #2901

Check List

  • New functionality includes testing.
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed with a real name per the DCO

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@asifsmohammed
Fix CVE-2023-35165, CVE-2023-34455, CVE-2023-34453, CVE-2023-34454, C…
ff2b9df 
…VE-2023-2976

Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>
@asifsmohammed
Copy link
Collaborator Author

There is a build failure unrelated to this change in the geo-ip processor

oeyh
oeyh reviewed Jun 28, 2023
View reviewed changes
build.gradle
Comment on lines +180 to +181
} else if (details.requested.group == 'org.xerial.snappy' && details.requested.name == 'snappy-java') {
details.useTarget group: 'org.xerial.snappy', name: 'snappy-java', version: '1.1.10.1'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this going to override the versions defined in individual packages like this?

data-prepper/data-prepper-plugins/s3-source/build.gradle

Line 33 in 4967df2

implementation 'org.xerial.snappy:snappy-java:1.1.9.1'

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. I didn't update the dependency version directly because parquet-avro is also have the older version of snappy-java as transitive dependency. But i can update it in s3-source as well

@asifsmohammed
Updated snappy version in build.gradle files
5516cfa 
Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>
@asifsmohammed asifsmohammed merged commit 8e2145c into opensearch-project:main Jun 29, 2023
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Jun 29, 2023
Merged
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jun 29, 2023
@asifsmohammed @github-actions
Fix CVE-2023-35165, CVE-2023-34455, CVE-2023-34453, CVE-2023-34454, C… (
7dcb2b0 
#2948)

* Fix CVE-2023-35165, CVE-2023-34455, CVE-2023-34453, CVE-2023-34454, CVE-2023-2976

Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>

* Updated snappy version in build.gradle files

Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>

---------

Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>
(cherry picked from commit 8e2145c)
asifsmohammed added a commit that referenced this pull request Jul 11, 2023
@opensearch-trigger-bot @asifsmohammed
Fix CVE-2023-35165, CVE-2023-34455, CVE-2023-34453, CVE-2023-34454, C… (
d6db47b 
#2948) (#2952)

* Fix CVE-2023-35165, CVE-2023-34455, CVE-2023-34453, CVE-2023-34454, CVE-2023-2976

Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>

* Updated snappy version in build.gradle files

Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>

---------

Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>
(cherry picked from commit 8e2145c)

Co-authored-by: Asif Sohail Mohammed <nsifmoh@amazon.com>
MaGonzalMayedo pushed a commit to MaGonzalMayedo/data-prepper that referenced this pull request Jul 25, 2023
@asifsmohammed
Fix CVE-2023-35165, CVE-2023-34455, CVE-2023-34453, CVE-2023-34454, C… (
c99f578 
opensearch-project#2948)

* Fix CVE-2023-35165, CVE-2023-34455, CVE-2023-34453, CVE-2023-34454, CVE-2023-2976

Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>

* Updated snappy version in build.gradle files

Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>

---------

Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>
Signed-off-by: Marcos Gonzalez Mayedo <alemayed@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oeyh oeyh oeyh approved these changes

@kkondaka kkondaka kkondaka approved these changes

@chenqi0805 chenqi0805 Awaiting requested review from chenqi0805 chenqi0805 is a code owner

@engechas engechas Awaiting requested review from engechas engechas is a code owner

@graytaylor0 graytaylor0 Awaiting requested review from graytaylor0 graytaylor0 is a code owner

@dinujoh dinujoh Awaiting requested review from dinujoh dinujoh is a code owner

@cmanning09 cmanning09 Awaiting requested review from cmanning09

@dlvenable dlvenable Awaiting requested review from dlvenable dlvenable is a code owner

Assignees
No one assigned
Labels
backport 2.3
Projects
None yet
Milestone
No milestone
3 participants
@asifsmohammed @oeyh @kkondaka