Skip to content

Comments

Security Vulnerability fix for logback-core (CVE-2023-6378)#23735

Merged
tdcmeehan merged 1 commit intoprestodb:masterfrom
namya28:logback_security_vulnerability_fix
Oct 9, 2024
Merged

Security Vulnerability fix for logback-core (CVE-2023-6378)#23735
tdcmeehan merged 1 commit intoprestodb:masterfrom
namya28:logback_security_vulnerability_fix

Conversation

@namya28
Copy link
Contributor

@namya28 namya28 commented Sep 27, 2024
edited
Loading

Description

This PR is for fixing the security vulnerability for the library "logback-core". The version has been upgraded to 1.2.13 (https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.2.13) from the version 1.2.3 (https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.2.3) in the root pom.xml file as the version 1.2.3 had a security vulnerability. This fixes CVE-2023-6378.

Motivation and Context

A Pull Request (PR) was initially raised to remove the logback-core dependency for the version 1.2.3. The link to the PR: #21819. However, the logback-core dependency is being transitively used in presto modules for the version 1.2.3 : (Attaching screenshots for reference)
1. presto-spark-testing
Screenshot 2024-09-27 at 8 29 31 PM

2. presto-router
Screenshot 2024-09-27 at 8 30 46 PM

3. presto-benchmark-runner
Screenshot 2024-09-27 at 8 31 58 PM

4. presto-proxy
Screenshot 2024-09-27 at 8 33 27 PM

5. presto-benchto-benchmarks
Screenshot 2024-09-27 at 8 34 37 PM

6. presto-verifier
Screenshot 2024-09-27 at 8 35 53 PM

7. presto-native-execution
Screenshot 2024-09-27 at 8 37 41 PM

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes

* Upgrade the logback-core version to 1.2.13 :pr:`23735`

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Sep 27, 2024
edited
Loading

CLA Signed


The committers listed above are authorized under a signed CLA.

@tdcmeehan tdcmeehan self-assigned this Sep 27, 2024
@agrawalreetika
Copy link
Member

agrawalreetika commented Sep 27, 2024

@namya28 Please sign a CLA, it's needed for the first PR - https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md#contributing-to-presto

Also let's make 2 changes -

  • Update the commit message to something like Upgrade the logback-core version to 1.2.13

  • Update release notes to -

    == RELEASE NOTES ==

    Security Changes

    • Upgrade the logback-core version to 1.2.13 :pr:23735

@namya28 namya28 force-pushed the logback_security_vulnerability_fix branch from 6addf86 to c7287c6 Compare September 30, 2024 06:15
@namya28 namya28 force-pushed the logback_security_vulnerability_fix branch from c7287c6 to d1a3a3f Compare September 30, 2024 07:32
@namya28 namya28 marked this pull request as ready for review September 30, 2024 09:03
@namya28 namya28 requested a review from a team as a code owner September 30, 2024 09:03
@namya28 namya28 requested a review from presto-oss September 30, 2024 09:03
@steveburnett
Copy link
Contributor

steveburnett commented Sep 30, 2024

Thanks for this! Nit in formatting of the release note entry

== RELEASE NOTES ==

Security Changes

* Upgrade the logback-core version to 1.2.13 :pr:`23735`

Also, you should delete this part

If release note is NOT required, use:

== NO RELEASE NOTE ==

@tdcmeehan tdcmeehan merged commit 7deadd1 into prestodb:master Oct 9, 2024
@jaystarshot jaystarshot mentioned this pull request Nov 1, 2024
Merged
25 tasks
@tdcmeehan tdcmeehan added the from:IBM PR from IBM label Dec 13, 2024
@prestodb-ci prestodb-ci requested review from a team, pramodsatya and psnv03 and removed request for a team December 13, 2024 15:30
@prestodb-ci prestodb-ci requested review from a team and ScrapCodes and removed request for a team and psnv03 April 3, 2025 04:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@agrawalreetika agrawalreetika agrawalreetika approved these changes

@tdcmeehan tdcmeehan tdcmeehan approved these changes

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

@pramodsatya pramodsatya Awaiting requested review from pramodsatya pramodsatya was automatically assigned from prestodb/ibm-reviewers

@ScrapCodes ScrapCodes Awaiting requested review from ScrapCodes ScrapCodes was automatically assigned from prestodb/ibm-reviewers

Assignees

@tdcmeehan tdcmeehan

Labels

from:IBM PR from IBM Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@namya28 @agrawalreetika @steveburnett @tdcmeehan @ethanyzhang