-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update google client apis to latest version #14414
Merged
abhishekagarwal87
merged 6 commits into
apache:master
from
tejaswini-imply:update-google-api-dependencies-version
Sep 11, 2023
Merged
Update google client apis to latest version #14414
abhishekagarwal87
merged 6 commits into
apache:master
from
tejaswini-imply:update-google-api-dependencies-version
Sep 11, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tejaswini-imply
changed the title
Update google apis version to 1.34.0
Update google client apis version to 1.34.0
Jun 13, 2023
tejaswini-imply
changed the title
Update google client apis version to 1.34.0
Update google client apis latest version
Jun 15, 2023
tejaswini-imply
changed the title
Update google client apis latest version
Update google client apis to latest version
Jun 15, 2023
abhishekagarwal87
pushed a commit
that referenced
this pull request
Aug 22, 2023
Currently, Druid is using Guava 16.0.1 version. This upgrade to 31.1-jre fixes the following issues. CVE-2018-10237 (Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable). We don't use Java or GWT serializations. Despite being false positive they're causing red security scans on Druid distribution. Latest version of google-client-api is incompatible with the existing Guava version. This PR unblocks Update google client apis to latest version #14414
abhishekagarwal87
approved these changes
Sep 11, 2023
Hello, can you confirm that it is going to be part of the next 28.0 ? Thks |
@OliveBZH - Yes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently Druid is using google apis client 1.26.0 version and
google-oauth-client-1.26.0.jar
in particular is bringing following CVEsCVE-2020-7692
,CVE-2021-22573
. Despite the CVEs being false positives, they're causing red security scans on Druid distribution. Hence updating the version to latest version with these CVE fixes.