Skip to content

Upgrade avro version#23868

Merged
tdcmeehan merged 1 commit intoprestodb:masterfrom
infvg:fix-avro
Oct 28, 2024
Merged

Upgrade avro version#23868
tdcmeehan merged 1 commit intoprestodb:masterfrom
infvg:fix-avro

Conversation

@infvg
Copy link
Contributor

@infvg infvg commented Oct 22, 2024
edited
Loading

Description

Upgraded avro to version 1.11.4 to resolve CVE-2024-47561
Upgraded commons-compress to version 1.26.2
Upgraded commons-codec to version 1.17.0
Upgraded commons-lang3 to version 3.14.0
Upgraded commons-io to version 2.16.1

Motivation and Context

This upgrade was created to deal with CVEs found in lower versions

Impact

None

Release Notes

== RELEASE NOTES ==

General Changes
* Upgraded avro to version 1.11.4 :pr:`23868`
* Upgraded commons-compress to version 1.26.2 :pr:`23868`
* Upgraded commons-codec to version 1.17.0 :pr:`23868`
* Upgraded commons-lang3 to version 3.14.0 :pr:`23868`
* Upgraded commons-io to version 2.16.1 :pr:`23868`

@infvg infvg changed the title Fix avro Upgrade avro version Oct 22, 2024
@infvg infvg marked this pull request as ready for review October 23, 2024 15:45
@infvg infvg requested a review from a team as a code owner October 23, 2024 15:45
@infvg infvg requested a review from presto-oss October 23, 2024 15:45
agrawalreetika
agrawalreetika reviewed Oct 23, 2024
View reviewed changes
Copy link
Member

@agrawalreetika agrawalreetika left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please correct commons-lang3 & commons-io version in the release section.
Also add all the updated dependency version details in the description as well.

presto-bigquery/pom.xml
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.13</version>
Copy link
Member

@agrawalreetika agrawalreetika Oct 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this getting removed?

Copy link
Contributor Author

@infvg infvg Oct 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was in dependency management - since the version exists in the root pom, I removed it so that it defaults to using the root version.

Copy link
Member

@agrawalreetika agrawalreetika Oct 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But then dependency would still be required right? We can avoid giving a version if this is already included in the root along with the version.

Copy link
Contributor Author

@infvg infvg Oct 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This wasn't under the dependencies but under dependency management - so this was just a version override and not pulling in a dependency.

@agrawalreetika
Copy link
Member

agrawalreetika commented Oct 23, 2024

Also, should we modify the commit message to something like -

Upgraded commons-io to <version> to resolve CVE issues
Upgraded avro to <version> to resolve CVE issues

@infvg infvg requested a review from agrawalreetika October 24, 2024 13:11
agrawalreetika
agrawalreetika reviewed Oct 24, 2024
View reviewed changes
Copy link
Member

@agrawalreetika agrawalreetika left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making the changes @infvg

My miss around how the commit message should be, please check the commit message style guideline here and make changes accordingly https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md#commit-message-style

@infvg
Upgrade avro & its dependencies to resolve CVEs
c69c185 
Upgrade avro & its dependencies to resolve CVE-2024-47561
If applied, this will:
Upgrade avro to version 1.11.4
Upgrade commons-compress to version 1.26.2
Upgrade commons-codec to version 1.17.0
Upgrade commons-lang3 to version 3.14.0
Upgrade commons-io to version 2.16.1
@infvg infvg requested a review from agrawalreetika October 27, 2024 13:00
@tdcmeehan tdcmeehan self-assigned this Oct 28, 2024
@tdcmeehan tdcmeehan merged commit 1c0fc17 into prestodb:master Oct 28, 2024
@jaystarshot jaystarshot mentioned this pull request Nov 1, 2024
Merged
25 tasks
@infvg infvg added Security from:IBM PR from IBM labels May 15, 2025
@prestodb-ci prestodb-ci requested review from a team, NivinCS and jp-sivaprasad and removed request for a team May 15, 2025 08:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@agrawalreetika agrawalreetika agrawalreetika approved these changes

@tdcmeehan tdcmeehan tdcmeehan approved these changes

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

@NivinCS NivinCS Awaiting requested review from NivinCS NivinCS was automatically assigned from prestodb/ibm-reviewers

@jp-sivaprasad jp-sivaprasad Awaiting requested review from jp-sivaprasad jp-sivaprasad was automatically assigned from prestodb/ibm-reviewers

Assignees

@tdcmeehan tdcmeehan

Labels

from:IBM PR from IBM Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@infvg @agrawalreetika @tdcmeehan

Comments