Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Upgrade snappy-java to 1.1.10.5 #21280

Merged
merged 1 commit into from
Oct 3, 2023
Merged

[fix][sec] Upgrade snappy-java to 1.1.10.5 #21280

merged 1 commit into from
Oct 3, 2023

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Sep 29, 2023

Motivation

snappy-java 1.1.10.1 contains CVE-2023-43642 . Upgrade the dependency to 1.1.10.5 to get rid of the CVE.

Modifications

Upgrade the dependency to 1.1.10.5 to get rid of the CVE.

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari lhotari added this to the 3.2.0 milestone Sep 29, 2023
@lhotari lhotari self-assigned this Sep 29, 2023
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Sep 29, 2023
@codecov-commenter
Copy link

Codecov Report

Merging #21280 (0e10017) into master (8485d68) will increase coverage by 36.43%.
The diff coverage is n/a.

Impacted file tree graph

@@              Coverage Diff              @@
##             master   #21280       +/-   ##
=============================================
+ Coverage     36.79%   73.22%   +36.43%     
- Complexity    12217    32411    +20194     
=============================================
  Files          1698     1887      +189     
  Lines        130510   140197     +9687     
  Branches      14260    15436     +1176     
=============================================
+ Hits          48019   102666    +54647     
+ Misses        76155    29439    -46716     
- Partials       6336     8092     +1756
Flag Coverage Δ
inttests 24.12% <ø> (+0.03%) ⬆️
systests 24.70% <ø> (-0.04%) ⬇️
unittests 72.52% <ø> (+40.52%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1452 files with indirect coverage changes

@lhotari lhotari merged commit 643428b into apache:master Oct 3, 2023
liangyuanpeng pushed a commit to liangyuanpeng/pulsar that referenced this pull request Oct 11, 2023
@lhotari @liangyuanpeng
[fix][sec] Upgrade snappy-java to 1.1.10.5 (apache#21280)
df3e719
@compuguy
Copy link

Will this PR be backported to the 3.1.x branch? This would reduce the number of high CVE's apache-pulsar currently has.

@lhotari
Copy link
Member Author

lhotari commented Oct 25, 2023

Will this PR be backported to the 3.1.x branch? This would reduce the number of high CVE's apache-pulsar currently has.

@compuguy yes, this will be backported.

lhotari added a commit that referenced this pull request Oct 25, 2023
@lhotari
[fix][sec] Upgrade snappy-java to 1.1.10.5 (#21280)
8e5f00e 
(cherry picked from commit 643428b)
lhotari added a commit that referenced this pull request Oct 25, 2023
@lhotari
[fix][sec] Upgrade snappy-java to 1.1.10.5 (#21280)
476b4a0 
(cherry picked from commit 643428b)
lhotari added a commit that referenced this pull request Oct 25, 2023
@lhotari
[fix][sec] Upgrade snappy-java to 1.1.10.5 (#21280)
0923080 
(cherry picked from commit 643428b)
@lhotari
Copy link
Member Author

lhotari commented Oct 25, 2023

@compuguy I have backported this to branch-2.11, branch-3.0 and branch-3.1 . This will be delivered as part of the next set of releases when that happens.

@compuguy
Copy link

Thank you @lhotari! 👍

@compuguy compuguy mentioned this pull request Oct 26, 2023
Merged
4 tasks
liangyepianzhou pushed a commit to streamnative/pulsar-archived that referenced this pull request Dec 12, 2023
@lhotari @liangyepianzhou
[fix][sec] Upgrade snappy-java to 1.1.10.5 (apache#21280)
159d5c3 
(cherry picked from commit 643428b)
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 12, 2023
@lhotari @nikhil-ctds
[fix][sec] Upgrade snappy-java to 1.1.10.5 (apache#21280)
27133aa 
(cherry picked from commit 643428b)
(cherry picked from commit 8e5f00e)
@nikhil-ctds nikhil-ctds mentioned this pull request Dec 12, 2023
Closed
4 tasks
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 14, 2023
@lhotari @srinath-ctds
[fix][sec] Upgrade snappy-java to 1.1.10.5 (apache#21280)
54a3ca4 
(cherry picked from commit 643428b)
(cherry picked from commit 8e5f00e)
liangyepianzhou pushed a commit that referenced this pull request Dec 14, 2023
@lhotari @liangyepianzhou
[fix][sec] Upgrade snappy-java to 1.1.10.5 (#21280)
1044932 
(cherry picked from commit 643428b)
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 20, 2023
@lhotari @nikhil-ctds
[fix][sec] Upgrade snappy-java to 1.1.10.5 (apache#21280)
39faf89 
(cherry picked from commit 643428b)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 20, 2023
@lhotari @srinath-ctds
[fix][sec] Upgrade snappy-java to 1.1.10.5 (apache#21280)
d9b28ad 
(cherry picked from commit 643428b)
nodece pushed a commit to nodece/pulsar that referenced this pull request Feb 23, 2024
@lhotari @nodece
[fix][sec] Upgrade snappy-java to 1.1.10.5 (apache#21280)
557c2cf 
(cherry picked from commit 643428b)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nodece nodece nodece approved these changes

@tisonkun tisonkun Awaiting requested review from tisonkun

@nicoloboschi nicoloboschi Awaiting requested review from nicoloboschi

Assignees

@lhotari lhotari

Labels
area/security cherry-picked/branch-2.10 cherry-picked/branch-2.11 cherry-picked/branch-3.0 cherry-picked/branch-3.1 doc-not-needed Your PR changes do not impact docs ready-to-test release/2.10.6 release/2.11.3 release/3.0.3 release/3.1.2
Projects
None yet
Milestone
3.2.0
Development

Successfully merging this pull request may close these issues.
5 participants
@lhotari @codecov-commenter @compuguy @nodece @liangyepianzhou