Skip to content

Upgrade accumulo to 1.10.1 to fix CVE-2020-17533#24438

Merged
tdcmeehan merged 1 commit intoprestodb:masterfrom
namya28:accumulo_vul_fix
Jan 30, 2025
Merged

Upgrade accumulo to 1.10.1 to fix CVE-2020-17533#24438
tdcmeehan merged 1 commit intoprestodb:masterfrom
namya28:accumulo_vul_fix

Conversation

@namya28
Copy link
Contributor

@namya28 namya28 commented Jan 27, 2025
edited
Loading

Description

This PR is for fixing the security vulnerability for accumulo. The version has been upgraded to 1.10.1 from the version 1.7.4 as the version 1.7.4 had a security vulnerability. This fixes CVE-2020-17533.

Motivation and Context

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes

* Upgrade the accumulo version to 1.10.1 in response to `
CVE-2020-17533 <https://github.com/advisories/GHSA-grc3-8q8m-4j7c>`_. :pr:`24438`

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Jan 27, 2025
@steveburnett
Copy link
Contributor

steveburnett commented Jan 27, 2025

Thanks for the release note! Suggest adding the CVE that prompted the work, following the example in Phrasing in the Release Notes Guidelines.

== RELEASE NOTES ==

Security Changes

* Upgrade the accumulo-core version to 1.10.1 in response to `
CVE-2020-17533 <hhttps://github.com/advisories/GHSA-grc3-8q8m-4j7c>`_. :pr:`24438`

@namya28 namya28 marked this pull request as ready for review January 27, 2025 17:59
@namya28 namya28 requested a review from a team as a code owner January 27, 2025 17:59
@namya28 namya28 requested a review from presto-oss January 27, 2025 17:59
imjalpreet
imjalpreet requested changes Jan 29, 2025
View reviewed changes
Copy link
Member

@imjalpreet imjalpreet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@namya28 Thanks for the fix! Could you confirm whether the CVE actually affects accumulo-core? From what I see, CVE-2020-17533 specifically impacts accumulo-master. In Presto, it might be present in accumulo-minicluster due to its dependency on accumulo-master, but I don’t believe it is directly related to accumulo-core.

If that’s the case, we should update the PR title and commit messages accordingly. Let me know if I missed anything.

@namya28 namya28 changed the title Security Vulnerability fix for accumulo-core (CVE-2020-17533) Security Vulnerability fix for accumulo-master (CVE-2020-17533) Jan 30, 2025
@namya28 namya28 requested a review from imjalpreet January 30, 2025 11:42
imjalpreet
imjalpreet reviewed Jan 30, 2025
View reviewed changes
Copy link
Member

@imjalpreet imjalpreet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@namya28 Thanks, I think below commit message would be better

Upgrade Accumulo to 1.10.1 to fix CVE-2020-17533

Upgrade the Accumulo version from 1.7.4 to 1.10.1 to address a security vulnerability (CVE-2020-17533). The affected library, accumulo-master, is a transitive dependency in Presto, coming from accumulo-minicluster.

The commit description will give more context to the fix.

@namya28 namya28 changed the title Security Vulnerability fix for accumulo-master (CVE-2020-17533) Upgrade accumulo to 1.10.1 to fix CVE-2020-17533 Jan 30, 2025
@namya28
Copy link
Contributor Author

namya28 commented Jan 30, 2025

@namya28 Thanks, I think below commit message would be better

Upgrade Accumulo to 1.10.1 to fix CVE-2020-17533

Upgrade the Accumulo version from 1.7.4 to 1.10.1 to address a security vulnerability (CVE-2020-17533). The affected library, accumulo-master, is a transitive dependency in Presto, coming from accumulo-minicluster.

The commit description will give more context to the fix.

Thanks for the suggestion @imjalpreet . I have made the changes , rebased and pushed my changes again.

@namya28
Upgrade accumulo to 1.10.1 to fix CVE-2020-17533
f9909a9 
Upgrade the accumulo version from 1.7.4 to 1.10.1 to address a security vulnerability (CVE-2020-17533). The affected library, accumulo-master, is a transitive dependency in Presto, coming from accumulo-minicluster.
imjalpreet
imjalpreet approved these changes Jan 30, 2025
View reviewed changes
Copy link
Member

@imjalpreet imjalpreet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@imjalpreet
Copy link
Member

imjalpreet commented Jan 30, 2025

@tdcmeehan another PR which is ready for final review. Please take a look whenever you get a chance, thanks!

@tdcmeehan tdcmeehan merged commit 892ad68 into prestodb:master Jan 30, 2025
54 checks passed
This was referenced Mar 10, 2025
Closed
Closed
@prestodb-ci prestodb-ci mentioned this pull request Mar 28, 2025
Merged
30 tasks
@prestodb-ci prestodb-ci requested review from a team, Dilli-Babu-Godari and sh-shamsan and removed request for a team April 3, 2025 04:08
@unidevel unidevel mentioned this pull request Apr 25, 2025
Closed
30 tasks
This was referenced May 6, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@imjalpreet imjalpreet imjalpreet approved these changes

@tdcmeehan tdcmeehan tdcmeehan approved these changes

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

@Dilli-Babu-Godari Dilli-Babu-Godari Awaiting requested review from Dilli-Babu-Godari Dilli-Babu-Godari was automatically assigned from prestodb/ibm-reviewers

@sh-shamsan sh-shamsan Awaiting requested review from sh-shamsan sh-shamsan was automatically assigned from prestodb/ibm-reviewers

Assignees

No one assigned

Labels

from:IBM PR from IBM Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@namya28 @steveburnett @imjalpreet @tdcmeehan @ethanyzhang @prestodb-ci