Skip to content

Upgrade org.apache.ratis dependency to address CVE-2020-15250 #24496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
imjalpreet merged 1 commit into from
Feb 22, 2025
Merged

Upgrade org.apache.ratis dependency to address CVE-2020-15250 #24496

imjalpreet merged 1 commit into from
Feb 22, 2025

Conversation

@sumi-mathew
Copy link
Contributor

@sumi-mathew sumi-mathew commented Feb 5, 2025
edited
Loading

Description

Upgrade the org.apache.ratis dependency from version 2.2.0 to 3.1.3 to avoiding CVE issues.

CVE-2020-15250

Motivation and Context

Upgrading the org.apache.ratis dependency from version 2.2.0 to 3.1.3 to to reduce the risk of introducing new security flaws

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Upgrade org.apache.ratis  to 3.1.3 in response to `CVE-2020-15250<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250>`_.

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Feb 5, 2025
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Feb 5, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@sumi-mathew sumi-mathew force-pushed the ratis_jar_upgarde branch 3 times, most recently from 7436c6d to 3bb7961 Compare February 5, 2025 07:35
@sumi-mathew sumi-mathew changed the title Upgrade org.apache.ratis dependency to address CVE-2022-23307 Upgrade org.apache.ratis dependency to address CVE-2020-15250 Feb 11, 2025
@sumi-mathew sumi-mathew marked this pull request as ready for review February 11, 2025 11:46
jaystarshot
jaystarshot reviewed Feb 11, 2025
View reviewed changes
imjalpreet
imjalpreet reviewed Feb 11, 2025
View reviewed changes
imjalpreet
imjalpreet reviewed Feb 11, 2025
View reviewed changes
@sumi-mathew sumi-mathew force-pushed the ratis_jar_upgarde branch 3 times, most recently from e77d3f9 to e9a1071 Compare February 12, 2025 11:55
imjalpreet
imjalpreet requested changes Feb 12, 2025
View reviewed changes
@steveburnett
Copy link
Contributor

steveburnett commented Feb 12, 2025

Thanks for the release note! Just one nit.

== RELEASE NOTES ==

Security Changes
* Upgrade org.apache.ratis  to 3.1.3 in response to `CVE-2020-15250<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250>`_.

@sumi-mathew sumi-mathew force-pushed the ratis_jar_upgarde branch 2 times, most recently from 0d938db to c8d52ee Compare February 13, 2025 04:42
imjalpreet
imjalpreet reviewed Feb 13, 2025
View reviewed changes
Copy link
Member

@imjalpreet imjalpreet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just a minor nit.

@yingsu00 yingsu00 self-requested a review February 22, 2025 00:44
@yingsu00
Copy link
Contributor

yingsu00 commented Feb 22, 2025

@jaystarshot Can you please re-review this PR to check if all your comments were addressed?

@jaystarshot
Copy link
Member

jaystarshot commented Feb 22, 2025

I think its blocked due to @imjalpreet’s request

@imjalpreet imjalpreet merged commit b12e90d into prestodb:master Feb 22, 2025
53 checks passed
This was referenced Mar 10, 2025
Closed
Closed
@prestodb-ci prestodb-ci mentioned this pull request Mar 28, 2025
Merged
30 tasks
@prestodb-ci prestodb-ci requested review from a team, BryanCutler and infvg and removed request for a team April 3, 2025 04:05
@unidevel unidevel mentioned this pull request Apr 25, 2025
Closed
30 tasks
This was referenced May 6, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@imjalpreet imjalpreet imjalpreet approved these changes

@jaystarshot jaystarshot jaystarshot approved these changes

@feilong-liu feilong-liu Awaiting requested review from feilong-liu feilong-liu is a code owner

@elharo elharo Awaiting requested review from elharo elharo is a code owner

@vivek-bharathan vivek-bharathan Awaiting requested review from vivek-bharathan

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

@yingsu00 yingsu00 Awaiting requested review from yingsu00

@BryanCutler BryanCutler Awaiting requested review from BryanCutler BryanCutler was automatically assigned from prestodb/ibm-reviewers

@infvg infvg Awaiting requested review from infvg infvg was automatically assigned from prestodb/ibm-reviewers

Assignees

No one assigned

Labels

from:IBM PR from IBM Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@sumi-mathew @steveburnett @yingsu00 @jaystarshot @imjalpreet @ethanyzhang @prestodb-ci