Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Dependencies] Update dependencies with CVEs. #646

Closed
adnapibar opened this issue May 4, 2021 · 4 comments · Fixed by #645
Closed

[Dependencies] Update dependencies with CVEs. #646

adnapibar opened this issue May 4, 2021 · 4 comments · Fixed by #645
Assignees
@adnapibar
Labels
CVE Fixes a CVE Meta Meta issue, not directly linked to a PR v1.0.0-alpha1 Version 1.0.0 alpha 1 v1.0.0 Version 1.0.0

Comments

@adnapibar
Copy link
Contributor

Describe the bug
The hdfs-fixture used for integration tests has the following dependency.

org.apache.hadoop:hadoop-minicluster:2.8.5

The above version of hadoop-minicluster brings in some other dependencies that are reported to have potential security vulnerabilities.

We need to update the hadoop-minicluster to the latest version 3.3.0
@adnapibar adnapibar added v1.0.0 Version 1.0.0 v1.0.0-alpha1 Version 1.0.0 alpha 1 labels May 4, 2021
@adnapibar adnapibar self-assigned this May 4, 2021
@adnapibar adnapibar mentioned this issue May 4, 2021
Merged
5 tasks
@adnapibar adnapibar changed the title [Dependencies] Update dependencies with potential security issues. [Dependencies] Update dependencies with CVEs. May 4, 2021
@adnapibar adnapibar added the Meta Meta issue, not directly linked to a PR label May 4, 2021
@adnapibar
Copy link
Contributor Author

adnapibar commented May 4, 2021
edited

We also need to upgrade the Hadoop version used in the repository-hdfs plugin (See this)

#645 incorrectly updated the hadoop-minicluster version from 2.8.5 to 3.3.0 but the plugin only supports Apache Hadoop 2.x.

So we should upgrade the Hadoop version to 2.10.1 instead. For more details see https://bugzilla.redhat.com/show_bug.cgi?id=1883549

In addition to the above, we also need to upgrade the following dependencies,

Reopening the issue and adding Meta label to it.

@adnapibar adnapibar reopened this May 4, 2021
This was referenced May 5, 2021
Merged
Merged
@abbashus
Copy link
Contributor

abbashus commented May 5, 2021
edited

Need to update the following dependencies as well:

Dependency Update To Module CVE's
commons-io-2.4.jar 2.7 discovery-azure-classic, repository-hdfs, hdfs-fixture https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
jackson-mapper-asl-1.9.2.jar com.fasterxml.jackson.core:jackson-databind:2.9.9 discovery-azure-classic https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172 , https://access.redhat.com/errata/RHSA-2019:2938
google-oauth-client-1.23.0.jar 1.31.0 discovery-gce googleapis/google-oauth-java-client#470

@abbashus abbashus mentioned this issue May 5, 2021
Closed
5 tasks
@adnapibar adnapibar mentioned this issue May 5, 2021
Merged
2 tasks
@adnapibar adnapibar added the CVE Fixes a CVE label May 5, 2021
@adnapibar adnapibar mentioned this issue May 6, 2021
Merged
2 tasks
@abbashus abbashus mentioned this issue May 11, 2021
Merged
5 tasks
This was referenced May 25, 2021
Merged
Merged
@adnapibar
Copy link
Contributor Author

Resolving the issue as all related CVE PRs are merged.

@tlfeng
Copy link
Collaborator

tlfeng commented Jul 6, 2021

pdfbox is also upgraded from 2.0.23 -> 2.0.24 in version 1.0.0, see PR #883 for detail.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adnapibar adnapibar

Labels
CVE Fixes a CVE Meta Meta issue, not directly linked to a PR v1.0.0-alpha1 Version 1.0.0 alpha 1 v1.0.0 Version 1.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update hadoop-minicluster version for test fixture.
3 participants
@adnapibar @abbashus @tlfeng