diff --git a/opensearch-2.yaml b/opensearch-2.yaml index 2739aca151c..73afee845c4 100644 --- a/opensearch-2.yaml +++ b/opensearch-2.yaml @@ -4,8 +4,8 @@ # same version they are installed into. package: name: opensearch-2 - version: 2.11.1 - epoch: 8 # Remove CVE-2022-45146 patch when bumping to 2.12 or later + version: 2.12.0 + epoch: 0 # Remove CVE-2022-45146 patch when bumping to 2.12 or later description: Open source distributed and RESTful search engine. copyright: - license: Apache-2.0 @@ -73,35 +73,22 @@ data: index-management: "" job-scheduler: "" k-nn: "" - ml-commons: "ml-commons.patch" # Handles both CVE-2023-51074, CVE-2023-42503 - neural-search: "CVE-2023-5072.patch" + ml-commons: "" + neural-search: "" notifications: "" observability: "" performance-analyzer: "" reporting: "" - security: "CVE-2023-44483.patch" + security: "" security-analytics: "" - sql: "CVE-2023-5072-sql.patch" + sql: "" pipeline: - uses: git-checkout with: repository: https://github.com/opensearch-project/OpenSearch tag: ${{package.version}} - expected-commit: 6b1986e964d440be9137eba1413015c31c5a7752 - - - uses: patch - with: - # Patch from: https://patch-diff.githubusercontent.com/raw/opensearch-project/OpenSearch/pull/10297.patch - patches: CVE-2022-45146.patch - - - uses: patch - with: - patches: CVE-2023-46749.patch - - - uses: patch - with: - patches: CVE-2023-34054.patch + expected-commit: 2c355ce1a427e4a528778d4054436b5c4b756221 - runs: | echo "org.gradle.daemon=false" >> gradle.properties @@ -189,6 +176,12 @@ subpackages: sed -i '/startParameter.excludedTaskNames=\[/ s/]/, "check"]/g' settings.gradle fi + # The OpenSearch version is misconfigured in the performance-analyzer plugin. + if [ "${{range.key}}" = "performance-analyzer" ]; then + sed -i 's/2.13.0-SNAPSHOT/${{package.version}}/g' build.gradle + fi + + echo "org.gradle.daemon=false" >> gradle.properties ./gradlew clean assemble -Dbuild.snapshot="false" -Dbuild.version_qualifier="" -x check -x integTest -x javadoc -PfailOnJavadocWarning=false --stacktrace diff --git a/opensearch-2/CVE-2022-45146.patch b/opensearch-2/CVE-2022-45146.patch deleted file mode 100644 index c8bd56f3bab..00000000000 --- a/opensearch-2/CVE-2022-45146.patch +++ /dev/null @@ -1,63 +0,0 @@ -From e0f639b78194304de5237a913a3c0caa7d621c7b Mon Sep 17 00:00:00 2001 -From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu, 5 Oct 2023 00:56:46 +0000 -Subject: [PATCH 1/3] Bump org.bouncycastle:bc-fips in - /distribution/tools/plugin-cli - -Bumps org.bouncycastle:bc-fips from 1.0.2.3 to 1.0.2.4. - ---- -updated-dependencies: -- dependency-name: org.bouncycastle:bc-fips - dependency-type: direct:production - update-type: version-update:semver-patch -... - -Signed-off-by: dependabot[bot] ---- - distribution/tools/plugin-cli/build.gradle | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/distribution/tools/plugin-cli/build.gradle b/distribution/tools/plugin-cli/build.gradle -index 2db3fef55d02..b61a00aba04b 100644 ---- a/distribution/tools/plugin-cli/build.gradle -+++ b/distribution/tools/plugin-cli/build.gradle -@@ -38,7 +38,7 @@ dependencies { - compileOnly project(":server") - compileOnly project(":libs:opensearch-cli") - api "org.bouncycastle:bcpg-fips:1.0.7.1" -- api "org.bouncycastle:bc-fips:1.0.2.3" -+ api "org.bouncycastle:bc-fips:1.0.2.4" - testImplementation project(":test:framework") - testImplementation 'com.google.jimfs:jimfs:1.3.0' - testRuntimeOnly("com.google.guava:guava:${versions.guava}") { - -From 71123e5c35b11814df2a8aafe6d76a81ae0e5e41 Mon Sep 17 00:00:00 2001 -From: "dependabot[bot]" -Date: Thu, 5 Oct 2023 01:02:22 +0000 -Subject: [PATCH 2/3] Updating SHAs - -Signed-off-by: dependabot[bot] ---- - distribution/tools/plugin-cli/licenses/bc-fips-1.0.2.3.jar.sha1 | 1 - - distribution/tools/plugin-cli/licenses/bc-fips-1.0.2.4.jar.sha1 | 1 + - 2 files changed, 1 insertion(+), 1 deletion(-) - delete mode 100644 distribution/tools/plugin-cli/licenses/bc-fips-1.0.2.3.jar.sha1 - create mode 100644 distribution/tools/plugin-cli/licenses/bc-fips-1.0.2.4.jar.sha1 - -diff --git a/distribution/tools/plugin-cli/licenses/bc-fips-1.0.2.3.jar.sha1 b/distribution/tools/plugin-cli/licenses/bc-fips-1.0.2.3.jar.sha1 -deleted file mode 100644 -index c71320050b7d..000000000000 ---- a/distribution/tools/plugin-cli/licenses/bc-fips-1.0.2.3.jar.sha1 -+++ /dev/null -@@ -1 +0,0 @@ --da62b32cb72591f5b4d322e6ab0ce7de3247b534 -\ No newline at end of file -diff --git a/distribution/tools/plugin-cli/licenses/bc-fips-1.0.2.4.jar.sha1 b/distribution/tools/plugin-cli/licenses/bc-fips-1.0.2.4.jar.sha1 -new file mode 100644 -index 000000000000..da37449f80d7 ---- /dev/null -+++ b/distribution/tools/plugin-cli/licenses/bc-fips-1.0.2.4.jar.sha1 -@@ -0,0 +1 @@ -+9008d04fc13da6455e6a792935b93b629757335d -\ No newline at end of file diff --git a/opensearch-2/CVE-2023-34054.patch b/opensearch-2/CVE-2023-34054.patch deleted file mode 100644 index 208ee4b7fe1..00000000000 --- a/opensearch-2/CVE-2023-34054.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/plugins/repository-azure/build.gradle b/plugins/repository-azure/build.gradle -index 2695d3f..f53c944 100644 ---- a/plugins/repository-azure/build.gradle -+++ b/plugins/repository-azure/build.gradle -@@ -60,7 +60,7 @@ dependencies { - api 'io.projectreactor:reactor-core:3.5.6' - api 'io.projectreactor.netty:reactor-netty:1.1.8' - api 'io.projectreactor.netty:reactor-netty-core:1.1.8' -- api 'io.projectreactor.netty:reactor-netty-http:1.1.9' -+ api 'io.projectreactor.netty:reactor-netty-http:1.1.13' - api "org.slf4j:slf4j-api:${versions.slf4j}" - api "com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}" - api "com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}" \ No newline at end of file diff --git a/opensearch-2/CVE-2023-44483.patch b/opensearch-2/CVE-2023-44483.patch deleted file mode 100644 index 9d8bbd21cf0..00000000000 --- a/opensearch-2/CVE-2023-44483.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/build.gradle b/build.gradle -index 67d5c6d..34cf14b 100644 ---- a/build.gradle -+++ b/build.gradle -@@ -587,7 +587,7 @@ dependencies { - runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}" - runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.5.1' - runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.3.1' -- runtimeOnly 'org.apache.santuario:xmlsec:2.3.3' -+ runtimeOnly 'org.apache.santuario:xmlsec:2.3.4' - runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}" - runtimeOnly 'org.checkerframework:checker-qual:3.38.0' - runtimeOnly "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}" \ No newline at end of file diff --git a/opensearch-2/CVE-2023-46749.patch b/opensearch-2/CVE-2023-46749.patch deleted file mode 100644 index 1d4df012a3a..00000000000 --- a/opensearch-2/CVE-2023-46749.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/plugins/identity-shiro/build.gradle b/plugins/identity-shiro/build.gradle -index baa3464..1548780 100644 ---- a/plugins/identity-shiro/build.gradle -+++ b/plugins/identity-shiro/build.gradle -@@ -17,7 +17,7 @@ opensearchplugin { - } - - dependencies { -- implementation 'org.apache.shiro:shiro-core:1.11.0' -+ implementation 'org.apache.shiro:shiro-core:1.13.0' - - // Needed for shiro - implementation "org.slf4j:slf4j-api:${versions.slf4j}" \ No newline at end of file diff --git a/opensearch-2/CVE-2023-5072-sql.patch b/opensearch-2/CVE-2023-5072-sql.patch deleted file mode 100644 index 4a3bb1c7d4a..00000000000 --- a/opensearch-2/CVE-2023-5072-sql.patch +++ /dev/null @@ -1,78 +0,0 @@ -diff --git a/legacy/build.gradle b/legacy/build.gradle -index d89f7af..7eb5489 100644 ---- a/legacy/build.gradle -+++ b/legacy/build.gradle -@@ -89,7 +89,7 @@ dependencies { - } - } - implementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre' -- implementation group: 'org.json', name: 'json', version:'20230227' -+ implementation group: 'org.json', name: 'json', version:'20231013' - implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.12.0' - implementation group: 'org.opensearch', name: 'opensearch', version: "${opensearch_version}" - // add geo module as dependency. https://github.com/opensearch-project/OpenSearch/pull/4180/. -diff --git a/opensearch/build.gradle b/opensearch/build.gradle -index 11f4a9b..2261a1b 100644 ---- a/opensearch/build.gradle -+++ b/opensearch/build.gradle -@@ -35,7 +35,7 @@ dependencies { - implementation group: 'com.fasterxml.jackson.core', name: 'jackson-core', version: "${versions.jackson}" - implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: "${versions.jackson_databind}" - implementation group: 'com.fasterxml.jackson.dataformat', name: 'jackson-dataformat-cbor', version: "${versions.jackson}" -- implementation group: 'org.json', name: 'json', version:'20230227' -+ implementation group: 'org.json', name: 'json', version:'20231013' - compileOnly group: 'org.opensearch.client', name: 'opensearch-rest-high-level-client', version: "${opensearch_version}" - implementation group: 'org.opensearch', name:'opensearch-ml-client', version: "${opensearch_build}" - -diff --git a/ppl/build.gradle b/ppl/build.gradle -index 484934d..7408d7a 100644 ---- a/ppl/build.gradle -+++ b/ppl/build.gradle -@@ -48,7 +48,7 @@ dependencies { - - implementation "org.antlr:antlr4-runtime:4.7.1" - implementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre' -- api group: 'org.json', name: 'json', version: '20230227' -+ api group: 'org.json', name: 'json', version: '20231013' - implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version:'2.20.0' - api project(':common') - api project(':core') -diff --git a/prometheus/build.gradle b/prometheus/build.gradle -index f8c10c7..c2878ab 100644 ---- a/prometheus/build.gradle -+++ b/prometheus/build.gradle -@@ -22,7 +22,7 @@ dependencies { - implementation group: 'com.fasterxml.jackson.core', name: 'jackson-core', version: "${versions.jackson}" - implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: "${versions.jackson_databind}" - implementation group: 'com.fasterxml.jackson.dataformat', name: 'jackson-dataformat-cbor', version: "${versions.jackson}" -- implementation group: 'org.json', name: 'json', version: '20230227' -+ implementation group: 'org.json', name: 'json', version: '20231013' - - testImplementation('org.junit.jupiter:junit-jupiter:5.6.2') - testImplementation group: 'org.hamcrest', name: 'hamcrest-library', version: '2.1' -diff --git a/spark/build.gradle b/spark/build.gradle -index c06b5b6..99a4472 100644 ---- a/spark/build.gradle -+++ b/spark/build.gradle -@@ -47,7 +47,7 @@ dependencies { - implementation project(':datasources') - - implementation group: 'org.opensearch', name: 'opensearch', version: "${opensearch_version}" -- implementation group: 'org.json', name: 'json', version: '20230227' -+ implementation group: 'org.json', name: 'json', version: '20231013' - api group: 'com.amazonaws', name: 'aws-java-sdk-emr', version: '1.12.545' - api group: 'com.amazonaws', name: 'aws-java-sdk-emrserverless', version: '1.12.545' - implementation group: 'commons-io', name: 'commons-io', version: '2.8.0' -diff --git a/sql/build.gradle b/sql/build.gradle -index 44dc37c..a9e1787 100644 ---- a/sql/build.gradle -+++ b/sql/build.gradle -@@ -46,7 +46,7 @@ dependencies { - - implementation "org.antlr:antlr4-runtime:4.7.1" - implementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre' -- implementation group: 'org.json', name: 'json', version:'20230227' -+ implementation group: 'org.json', name: 'json', version:'20231013' - implementation project(':common') - implementation project(':core') - api project(':protocol') \ No newline at end of file diff --git a/opensearch-2/CVE-2023-5072.patch b/opensearch-2/CVE-2023-5072.patch deleted file mode 100644 index 5bf63daa1a0..00000000000 --- a/opensearch-2/CVE-2023-5072.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/build.gradle b/build.gradle -index ae67657..1f13f7d 100644 ---- a/build.gradle -+++ b/build.gradle -@@ -153,7 +153,7 @@ dependencies { - runtimeOnly group: 'org.opensearch', name: 'common-utils', version: "${opensearch_build}" - runtimeOnly group: 'org.apache.commons', name: 'commons-text', version: '1.10.0' - runtimeOnly group: 'com.google.code.gson', name: 'gson', version: '2.10.1' -- runtimeOnly group: 'org.json', name: 'json', version: '20230227' -+ runtimeOnly group: 'org.json', name: 'json', version: '20231013' - } - - // In order to add the jar to the classpath, we need to unzip the \ No newline at end of file diff --git a/opensearch-2/ml-commons.patch b/opensearch-2/ml-commons.patch deleted file mode 100644 index dcf26164d36..00000000000 --- a/opensearch-2/ml-commons.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff --git a/ml-algorithms/build.gradle b/ml-algorithms/build.gradle -index 3561472..050ea67 100644 ---- a/ml-algorithms/build.gradle -+++ b/ml-algorithms/build.gradle -@@ -62,7 +62,7 @@ dependencies { - implementation 'software.amazon.awssdk:auth' - implementation 'software.amazon.awssdk:apache-client' - implementation 'com.amazonaws:aws-encryption-sdk-java:2.4.1' -- implementation 'com.jayway.jsonpath:json-path:2.8.0' -+ implementation 'com.jayway.jsonpath:json-path:2.9.0' - implementation group: 'org.json', name: 'json', version: '20231013' - } - -diff --git a/ml-algorithms/build.gradle b/ml-algorithms/build.gradle -index 35614721..74b0acbf 100644 ---- a/ml-algorithms/build.gradle -+++ b/ml-algorithms/build.gradle -@@ -68,6 +68,7 @@ dependencies { - - configurations.all { - resolutionStrategy.force 'com.google.protobuf:protobuf-java:3.21.9' -+ resolutionStrategy.force 'org.apache.commons:commons-compress:1.25.0' - } - - jacocoTestReport { -diff --git a/plugin/build.gradle b/plugin/build.gradle -index af976e6f..3dc408a8 100644 ---- a/plugin/build.gradle -+++ b/plugin/build.gradle -@@ -330,6 +330,7 @@ configurations.all { - resolutionStrategy.force 'org.apache.httpcomponents:httpclient:4.5.14' - resolutionStrategy.force 'commons-codec:commons-codec:1.15' - resolutionStrategy.force 'org.slf4j:slf4j-api:1.7.36' -+ resolutionStrategy.force 'org.apache.commons:commons-compress:1.25.0' - } - - apply plugin: 'com.netflix.nebula.ospackage'