Skip to content

chore(deps): Upgrade zookeeper version from 3.9.4 to 3.9.5 address the CVE-2026-24281 and CVE-2026-24308#27319

Merged
NivinCS merged 1 commit intoprestodb:masterfrom
NivinCS:cve_fix_upgrade_zookeeper_version
Mar 18, 2026
Merged

chore(deps): Upgrade zookeeper version from 3.9.4 to 3.9.5 address the CVE-2026-24281 and CVE-2026-24308#27319
NivinCS merged 1 commit intoprestodb:masterfrom
NivinCS:cve_fix_upgrade_zookeeper_version

Conversation

@NivinCS
Copy link
Copy Markdown
Contributor

@NivinCS NivinCS commented Mar 12, 2026
edited
Loading

Description

Upgraded zookeeper version to 3.9.5 to resolve the CVE-2026-24281 and CVE-2026-24308

Motivation and Context

Impact

Test Plan

Regression test suite report for Kafka connector

image

pinot connector

image

WhitesSource Security check report

Screenshot 2026-03-13 at 1 10 27 PM

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.
  • If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Upgrade zookeeper to version 3.9.5 in response to `CVE-2026-24281 <https://github.com/advisories/GHSA-7xrh-hqfc-g7qr>`,`CVE-2026-24308 <https://github.com/advisories/GHSA-crhr-qqj8-rpxc>`

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Mar 12, 2026
@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla bot commented Mar 12, 2026
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: NivinCS / name: Nivin C S (c576592)

@NivinCS NivinCS changed the title upgrade zookeeper version to address the CVE-2026-24281 upgrade zookeeper version to address the CVE-2026-24281 and CVE-2026-24308 Mar 12, 2026
@NivinCS NivinCS changed the title upgrade zookeeper version to address the CVE-2026-24281 and CVE-2026-24308 chore(deps): Upgrade zookeeper version from 3.9.4 to 3.9.5 address the CVE-2026-24281 and CVE-2026-24308 Mar 12, 2026
@NivinCS NivinCS force-pushed the cve_fix_upgrade_zookeeper_version branch from 7838fed to c576592 Compare March 12, 2026 09:30
@NivinCS NivinCS marked this pull request as ready for review March 13, 2026 08:42
@NivinCS NivinCS requested a review from a team as a code owner March 13, 2026 08:42
@prestodb-ci prestodb-ci requested review from a team, ScrapCodes and wanglinsong and removed request for a team March 13, 2026 08:42
agrawalreetika
agrawalreetika reviewed Mar 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@agrawalreetika agrawalreetika left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see the zookeeper also gets included from pinot-common as a transitive dependency, so check if any update is needed there?

@NivinCS
Copy link
Copy Markdown
Contributor Author

NivinCS commented Mar 13, 2026

I see the zookeeper also gets included from pinot-common as a transitive dependency, so check if any update is needed there?

Pinot is already using the Zookeeper version specified in the root pom, so no additional change is required from our side.
Also, the CVE we observed was introduced transitively through pinot-common, which in turn resolves to the Zookeeper version defined in the root pom. Therefore, it already aligns with the updated version and no further action is needed.

pratyakshsharma
pratyakshsharma reviewed Mar 14, 2026
View reviewed changes
presto-kafka/pom.xml
<artifactId>zookeeper</artifactId>
<scope>runtime</scope>
<!-- This is the version used by kafka tranitively -->
<version>3.8.4</version>
Copy link
Copy Markdown
Contributor

@pratyakshsharma pratyakshsharma Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did we verify this does not break anything when using this connector?

Copy link
Copy Markdown
Contributor Author

@NivinCS NivinCS Mar 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I executed the regression test suite, and all test cases passed. Test report is included here #27319 (comment)

Copy link
Copy Markdown
Contributor

@ScrapCodes ScrapCodes Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since tests are good, this should be okay.

ScrapCodes
ScrapCodes approved these changes Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ScrapCodes ScrapCodes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@NivinCS NivinCS merged commit fe19cb9 into prestodb:master Mar 18, 2026
121 of 124 checks passed
This was referenced Mar 31, 2026
Closed
Open
@prestodb-ci prestodb-ci mentioned this pull request Apr 1, 2026
Open
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@agrawalreetika agrawalreetika agrawalreetika left review comments

@pratyakshsharma pratyakshsharma pratyakshsharma left review comments

@ScrapCodes ScrapCodes ScrapCodes approved these changes

@tdcmeehan tdcmeehan tdcmeehan approved these changes

@wanglinsong wanglinsong Awaiting requested review from wanglinsong wanglinsong was automatically assigned from prestodb/ibm-reviewers

@aaneja aaneja Awaiting requested review from aaneja

Assignees

No one assigned

Labels

from:IBM PR from IBM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@NivinCS @ScrapCodes @agrawalreetika @tdcmeehan @pratyakshsharma @prestodb-ci