Skip to content

chore(deps): Bump aircompressor from 0.27 to 2.0.3#27152

Merged
nishithakbhaskaran merged 1 commit intoprestodb:masterfrom
Dilli-Babu-Godari:cvefix_aircompressor
Mar 3, 2026
Merged

chore(deps): Bump aircompressor from 0.27 to 2.0.3#27152
nishithakbhaskaran merged 1 commit intoprestodb:masterfrom
Dilli-Babu-Godari:cvefix_aircompressor

Conversation

@Dilli-Babu-Godari
Copy link
Copy Markdown
Contributor

@Dilli-Babu-Godari Dilli-Babu-Godari commented Feb 17, 2026
edited
Loading

Description

Fixes the CVE-2025-67721 which causes unintended data exposure when processing malformed compressed input.

Motivation and Context

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.
  • If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Update aircompressor dependency from 0.27 to version 2.0.2 to fix `CVE-2025-67721 <https://www.cve.org/CVERecord?id=CVE-2025-67721>`_

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Feb 17, 2026
@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla bot commented Feb 17, 2026
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: Dilli-Babu-Godari / name: Dilli-Babu-Godari (aa376a0)

@Dilli-Babu-Godari Dilli-Babu-Godari changed the title upgrade air compressor dependency to latest version Bump(deps):upgrade air compressor dependency to latest version Feb 17, 2026
@Dilli-Babu-Godari Dilli-Babu-Godari changed the title Bump(deps):upgrade air compressor dependency to latest version Bump(deps): Upgrade air compressor dependency to latest version Feb 17, 2026
@Dilli-Babu-Godari Dilli-Babu-Godari changed the title Bump(deps): Upgrade air compressor dependency to latest version Bump(deps): Bump air compressor dependency from 0.27 to version 2.0.2 Feb 17, 2026
@Dilli-Babu-Godari Dilli-Babu-Godari force-pushed the cvefix_aircompressor branch 2 times, most recently from aede895 to e34a375 Compare February 25, 2026 07:37
@Dilli-Babu-Godari Dilli-Babu-Godari changed the title Bump(deps): Bump air compressor dependency from 0.27 to version 2.0.2 Bump(deps): Bump aircompressor dependency from 0.27 to version 2.0.2 Feb 25, 2026
@Dilli-Babu-Godari Dilli-Babu-Godari changed the title Bump(deps): Bump aircompressor dependency from 0.27 to version 2.0.2 chore(deps): bump aircompressor from 0.27 to 2.0.2 Feb 25, 2026
@Dilli-Babu-Godari Dilli-Babu-Godari changed the title chore(deps): bump aircompressor from 0.27 to 2.0.2 chore(deps): Bump aircompressor from 0.27 to 2.0.2 Feb 25, 2026
@Dilli-Babu-Godari Dilli-Babu-Godari changed the title chore(deps): Bump aircompressor from 0.27 to 2.0.2 chore(deps): Bump aircompressor from 0.27 to 2.0.3 Feb 25, 2026
@Dilli-Babu-Godari Dilli-Babu-Godari marked this pull request as ready for review February 25, 2026 09:05
@Dilli-Babu-Godari Dilli-Babu-Godari requested a review from a team as a code owner February 25, 2026 09:05
@prestodb-ci prestodb-ci requested review from a team, Joe-Abraham and namya28 and removed request for a team February 25, 2026 09:05
imjalpreet
imjalpreet reviewed Feb 25, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@imjalpreet imjalpreet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Dilli-Babu-Godari, thanks for the fix.

Can you please run some simple tests like creating a table with different compression types(SNAPPY, LZO, LZ4, ZSTD) and file formats(Parquet and ORC) using Hive connector and share the results here?

@steveburnett
Copy link
Copy Markdown
Contributor

steveburnett commented Feb 25, 2026

Is there a CVE associated with the Security Change category upgrade?

@imjalpreet
Copy link
Copy Markdown
Member

imjalpreet commented Feb 25, 2026

@steveburnett, yes, this upgrade fixes this CVE: https://www.cve.org/CVERecord?id=CVE-2025-67721

@Dilli-Babu-Godari, please update the PR description and release notes accordingly.

@imjalpreet imjalpreet mentioned this pull request Feb 25, 2026
Closed
@Dilli-Babu-Godari
Copy link
Copy Markdown
Contributor Author

Dilli-Babu-Godari commented Feb 25, 2026

@Dilli-Babu-Godari, thanks for the fix.

Can you please run some simple tests like creating a table with different compression types(SNAPPY, LZO, LZ4, ZSTD) and file formats(Parquet and ORC) using Hive connector and share the results here?

@imjalpreet, I have performed testing with certain decompression formats with data file formats, Here are the results for this,

Results for ORC + compression formats:

Screenshot 2026-02-25 at 10 51 33 PM Screenshot 2026-02-25 at 10 53 52 PM Screenshot 2026-02-25 at 10 54 54 PM

Result for Parquet + compression formats:

Screenshot 2026-02-25 at 10 56 25 PM Screenshot 2026-02-25 at 10 58 13 PM

@steveburnett
Copy link
Copy Markdown
Contributor

steveburnett commented Feb 25, 2026

Thanks for the release note update! Formatting nit:

== RELEASE NOTES ==

Security Changes
* Update aircompressor dependency from 0.27 to version 2.0.2 to fix `CVE-2025-67721 <https://www.cve.org/CVERecord?id=CVE-2025-67721>`_

imjalpreet
imjalpreet approved these changes Feb 27, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@imjalpreet imjalpreet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @Dilli-Babu-Godari.

hantangwangd
hantangwangd approved these changes Feb 27, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@hantangwangd hantangwangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Dilli-Babu-Godari

@imjalpreet
Copy link
Copy Markdown
Member

imjalpreet commented Mar 2, 2026

@Dilli-Babu-Godari, can you please rebase on master to trigger the renamed tests in CI? Otherwise, we cannot merge the PR.

@Dilli-Babu-Godari
Copy link
Copy Markdown
Contributor Author

Dilli-Babu-Godari commented Mar 2, 2026

@Dilli-Babu-Godari, can you please rebase on master to trigger the renamed tests in CI? Otherwise, we cannot merge the PR.

Thanks @imjalpreet. I have triggered and waiting for the checks to complete.

Joe-Abraham
Joe-Abraham approved these changes Mar 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Joe-Abraham Joe-Abraham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks @Dilli-Babu-Godari

@nishithakbhaskaran nishithakbhaskaran merged commit ec533ab into prestodb:master Mar 3, 2026
141 of 147 checks passed
@nishithakbhaskaran nishithakbhaskaran deleted the cvefix_aircompressor branch March 3, 2026 11:00
This was referenced Mar 31, 2026
Closed
Open
@prestodb-ci prestodb-ci mentioned this pull request Apr 1, 2026
Open
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@imjalpreet imjalpreet imjalpreet approved these changes

@hantangwangd hantangwangd hantangwangd approved these changes

@Joe-Abraham Joe-Abraham Joe-Abraham approved these changes

@namya28 namya28 Awaiting requested review from namya28 namya28 was automatically assigned from prestodb/ibm-reviewers

Assignees

No one assigned

Labels

from:IBM PR from IBM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@Dilli-Babu-Godari @steveburnett @imjalpreet @hantangwangd @Joe-Abraham @nishithakbhaskaran @prestodb-ci