Skip to content

Commit

Permalink
Fix protobuf CVE (#43)
Browse files Browse the repository at this point in the history 
* Fix CVE

* Fixes in docs, scope in pom

* PK fix
  • Loading branch information
@Shmuma
Shmuma authored Sep 23, 2024
1 parent 6670151 commit bba819b
Show file tree
Hide file tree
Showing 5 changed files with 117 additions and 75 deletions.
147 changes: 75 additions & 72 deletions dependencies.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/changes/changelog.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

23 changes: 23 additions & 0 deletions doc/changes/changes_2.0.8.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Spark Connector Common Java 2.0.8, released 2024-09-23

Code name: Fixed vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:provided

## Summary
This release fixes vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:provided which could lead to unbounded recursion.

## Security

* #41: CVE-2024-7254: com.google.protobuf:protobuf-java:jar:3.19.6:provided

## Dependency Updates

### Compile Dependency Updates

* Removed `io.netty:netty-all:4.1.111.Final`
* Removed `joda-time:joda-time:2.12.7`
* Removed `org.apache.avro:avro:1.11.3`
* Removed `org.apache.commons:commons-compress:1.26.2`
* Removed `org.apache.ivy:ivy:2.5.2`
* Removed `org.apache.zookeeper:zookeeper:3.9.2`
* Removed `org.codehaus.janino:janino:3.1.12`
* Removed `org.xerial.snappy:snappy-java:1.1.10.5`
2 changes: 1 addition & 1 deletion pk_generated_parent.pom
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 17 additions & 2 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@
<modelVersion>4.0.0</modelVersion>
<groupId>com.exasol</groupId>
<artifactId>spark-connector-common-java</artifactId>
<version>2.0.7</version>
<version>2.0.8</version>
<name>spark-connector-common-java</name>
<description>An Exasol common library for Apache Spark connectors</description>
<url>https://github.com/exasol/spark-connector-common-java/</url>
<parent>
<artifactId>spark-connector-common-java-generated-parent</artifactId>
<groupId>com.exasol</groupId>
<version>2.0.7</version>
<version>2.0.8</version>
<relativePath>pk_generated_parent.pom</relativePath>
</parent>
<properties>
Expand Down Expand Up @@ -80,48 +80,63 @@
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.26.2</version>
<scope>provided</scope>
</dependency>
<dependency>
<!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2023-43642 and CVE-2022-46751 -->
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>1.1.10.5</version>
<scope>provided</scope>
</dependency>
<dependency>
<!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2022-46751 -->
<groupId>org.apache.ivy</groupId>
<artifactId>ivy</artifactId>
<version>2.5.2</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.zookeeper</groupId>
<!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2023-44981 -->
<artifactId>zookeeper</artifactId>
<version>3.9.2</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.avro</groupId>
<!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2023-44981 -->
<artifactId>avro</artifactId>
<version>1.11.3</version>
<scope>provided</scope>
</dependency>
<dependency>
<!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2024-23080 -->
<groupId>joda-time</groupId>
<artifactId>joda-time</artifactId>
<version>2.12.7</version>
<scope>provided</scope>
</dependency>
<dependency>
<!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2024-29025 -->
<groupId>io.netty</groupId>
<artifactId>netty-all</artifactId>
<version>4.1.111.Final</version>
<scope>provided</scope>
</dependency>
<dependency>
<!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2023-33546 -->
<groupId>org.codehaus.janino</groupId>
<artifactId>janino</artifactId>
<version>3.1.12</version>
<scope>provided</scope>
</dependency>
<dependency>
<!-- Upgrade transitive dependency of org.apache.spark:spark-network-common_2.13 to fix CVE-2024-7254 -->
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
<version>3.25.5</version>
<scope>provided</scope>
</dependency>
<!-- Test Dependencies -->
<dependency>
Expand Down

0 comments on commit bba819b

Please sign in to comment.