Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Bump aircompressor and commons-compress to fix cve problems #3863

Merged
merged 6 commits into from
Aug 13, 2024
Merged

[Security] Bump aircompressor and commons-compress to fix cve problems #3863

merged 6 commits into from
Aug 13, 2024

Conversation

Smith-Cruise
Copy link
Contributor 

┌────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                      Library                       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ io.airlift:aircompressor (paimon-bundle-0.8.2.jar) │ CVE-2024-36114 │ HIGH     │ fixed  │ 0.21              │ 0.27          │ Decompressors can crash the JVM and leak memory content in  │
│                                                    │                │          │        │                   │               │ Aircompressor                                               │
│                                                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-36114                  │
├────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.apache.commons:commons-compress                │ CVE-2024-25710 │          │        │ 1.22              │ 1.26.0        │ commons-compress: Denial of service caused by an infinite   │
│ (paimon-bundle-0.8.2.jar)                          │                │          │        │                   │               │ loop for a corrupted...                                     │
│                                                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-25710                  │
│                                                    ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2024-26308 │          │        │                   │               │ commons-compress: OutOfMemoryError unpacking broken Pack200 │
│                                                    │                │          │        │                   │               │ file                                                        │
│                                                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-26308                  │
│                                                    ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2023-42503 │ MEDIUM   │        │                   │ 1.24.0        │ apache-commons-compress: Denial of service via CPU          │
│                                                    │                │          │        │                   │               │ consumption for malformed TAR file                          │
│                                                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42503                  │
└────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Purpose

fix it

Tests

API and Format

Documentation

JingsongLi
JingsongLi reviewed Jul 31, 2024
View reviewed changes
paimon-common/pom.xml Outdated
@@ -57,6 +57,14 @@ under the License.
<version>${airlift.version}</version>
</dependency>

<!-- From paimon-format -->
<!-- From org.apache.avro -->
<dependency>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should bundle this in paimon-format

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you mean move commons-compress to paimon-format ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes.

@Smith-Cruise
Fix cve problems in paimon-bundle
bce0f41 
Signed-off-by: Smith Cruise <[email protected]>
@Smith-Cruise
change
01190fd 
Signed-off-by: Smith Cruise <[email protected]>
@Smith-Cruise
update notice
d022aa2 
Signed-off-by: Smith Cruise <[email protected]>
@Smith-Cruise
update notice
c5754f7 
Signed-off-by: Smith Cruise <[email protected]>
@Smith-Cruise
update notice
1351791 
Signed-off-by: Smith Cruise <[email protected]>
@Smith-Cruise
update notice
60ec288 
Signed-off-by: Smith Cruise <[email protected]>
@Smith-Cruise
Copy link
Contributor Author

for avro, I didn't know why ut can't passed.

I've tried bumping avro to 1.12.0, but ci failed.

JingsongLi
JingsongLi approved these changes Aug 13, 2024
View reviewed changes
Copy link
Contributor

@JingsongLi JingsongLi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@JingsongLi JingsongLi merged commit 16f3629 into apache:master Aug 13, 2024
9 of 10 checks passed
@Smith-Cruise Smith-Cruise deleted the fix-cve branch August 13, 2024 12:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JingsongLi JingsongLi JingsongLi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Smith-Cruise @JingsongLi