From f860e6599783f5fbb148587fa7ccfc9fa88fe838 Mon Sep 17 00:00:00 2001 From: Catherine Redfield Date: Mon, 27 Oct 2025 09:59:53 -0400 Subject: [PATCH 1/2] adv(celeborn-0.6): GHSA-3p8m-j85q-pgmj, GHSA-fghv-69vj-qj49, GHSA-prj3-ccx8-p6x4 celeborn-0.6 is newly version streamed and existing advisories under version 0.5 need to be updated for the new 0.6 version. netty is brought in by ratis, which has still not updated to a fixed version of netty. Relates: https://github.com/wolfi-dev/os/pull/69882, https://github.com/wolfi-dev/os/pull/69911, https://github.com/chainguard-dev/CVE-Dashboard/issues/31614, https://github.com/chainguard-dev/CVE-Dashboard/issues/31634, https://github.com/chainguard-dev/CVE-Dashboard/issues/31623 --- celeborn-0.6.advisories.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/celeborn-0.6.advisories.yaml b/celeborn-0.6.advisories.yaml index 83288e8ac8..4fcac5c165 100644 --- a/celeborn-0.6.advisories.yaml +++ b/celeborn-0.6.advisories.yaml @@ -21,6 +21,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/ratis-thirdparty-misc-1.0.9.jar scanner: grype + - timestamp: 2025-10-27T13:59:48Z + type: pending-upstream-fix + data: + note: netty-codec is brought into celeborn via ratis (already on most recent version 3.2.0) pulling in ratis-thirdparty. Upstream maintainers must update ratis versions to pull in the fixed version of netty. - id: CGA-5hf2-h5q8-9hj9 aliases: @@ -75,6 +79,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/ratis-thirdparty-misc-1.0.9.jar scanner: grype + - timestamp: 2025-10-27T13:57:35Z + type: pending-upstream-fix + data: + note: netty-codec is brought into celeborn via ratis (already on most recent version 3.2.0) pulling in ratis-thirdparty. Upstream maintainers must update ratis versions to pull in the fixed version of netty. - id: CGA-f3jr-397v-cw8h aliases: @@ -147,3 +155,7 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/ratis-thirdparty-misc-1.0.9.jar scanner: grype + - timestamp: 2025-10-27T13:59:09Z + type: pending-upstream-fix + data: + note: netty-codec is brought into celeborn via ratis (already on most recent version 3.2.0) pulling in ratis-thirdparty. Upstream maintainers must update ratis versions to pull in the fixed version of netty. From ec5cdfe85ea8b2c10edb4aa2f6f867607ac28eb8 Mon Sep 17 00:00:00 2001 From: Catherine Redfield Date: Mon, 27 Oct 2025 10:40:32 -0400 Subject: [PATCH 2/2] adv(celeborn-0.6): GHSA-j288-q9x7-2f5v, GHSA-h46c-h94j-95f3, GHSA-wf8f-6423-gfxg, GHSA-qh8g-58pp-2wxh, GHSA-xwmg-2g98-w7v9 celeborn-0.6 is newly version streamed and existing advisories under version 0.5 need to be updated for the new 0.6 version. hadoop is currently brought in at the most recent version (3.4.2) and all the subsequent transitive dependencies of hadoop require an upstream fix. Relates: https://github.com/chainguard-dev/CVE-Dashboard/issues/31631, https://github.com/chainguard-dev/CVE-Dashboard/issues/31625, https://github.com/chainguard-dev/CVE-Dashboard/issues/31629, https://github.com/chainguard-dev/CVE-Dashboard/issues/31627, https://github.com/chainguard-dev/CVE-Dashboard/issues/31621 --- celeborn-0.6.advisories.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/celeborn-0.6.advisories.yaml b/celeborn-0.6.advisories.yaml index 4fcac5c165..e11667940a 100644 --- a/celeborn-0.6.advisories.yaml +++ b/celeborn-0.6.advisories.yaml @@ -43,6 +43,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar scanner: grype + - timestamp: 2025-10-27T14:20:15Z + type: pending-upstream-fix + data: + note: jackson-core is brought into celeborn via hadoop, which is already on the most recent version 3.4.2. Upstream maintainers of hadoop and celeborn will need to update the jackson-core version. - id: CGA-6x4w-p6ww-h8w6 aliases: @@ -61,6 +65,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar scanner: grype + - timestamp: 2025-10-27T14:18:05Z + type: pending-upstream-fix + data: + note: jackson-core is brought into celeborn via hadoop, which is already on the most recent version 3.4.2. Upstream maintainers of hadoop and celeborn will need to update the jackson-core version. - id: CGA-83gp-5pgm-4v7j aliases: @@ -101,6 +109,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar scanner: grype + - timestamp: 2025-10-27T14:38:54Z + type: pending-upstream-fix + data: + note: jetty-http is used directly by celeborn and is also brought in by hadoop. jetty 9 is EOL and upstream maintainers need to transition to jetty 12 to receive CVE fixes. See https://github.com/jetty/jetty.project/issues/12783. - id: CGA-jj82-g9w9-4xfr aliases: @@ -119,6 +131,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar scanner: grype + - timestamp: 2025-10-27T14:23:03Z + type: pending-upstream-fix + data: + note: nimbus-jose-jwt is brought into celeborn via hadoop, which is already on the most recent version 3.4.2. Upstream maintainers of hadoop and celeborn will need to update the jackson-core version. - id: CGA-q5j9-wq6q-3g58 aliases: @@ -137,6 +153,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar scanner: grype + - timestamp: 2025-10-27T14:21:30Z + type: pending-upstream-fix + data: + note: commons-lang3 is brought into celeborn via hadoop, which is already on the most recent version 3.4.2. Upstream maintainers of hadoop and celeborn will need to update the jackson-core version. - id: CGA-v929-wm8j-8mwj aliases: