-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BackPort]: CVE Fixes from Upstream #174
Commits on Dec 19, 2023
-
Patched security vulnerability by updating Ranger libraries to the ne… (
apache#15363) Patched security vulnerability by updating Ranger libraries to the newest available version.
Configuration menu - View commit details
-
Copy full SHA for 6d9475f - Browse repository at this point
Copy the full SHA 6d9475fView commit details -
update confluent's dependencies to common, supported version (apache#…
…15441) * update confluent's dependencies to common, supported version Update io.confluent.* dependencies to common, updated version 6.2.12 currently used versions are EOL * move version definition to the top level pom
Configuration menu - View commit details
-
Copy full SHA for 32b49d0 - Browse repository at this point
Copy the full SHA 32b49d0View commit details -
remove unnecessary elasticsearch dependencies to fix CVE regressions (a…
…pache#15443) Recent upgrade of ranger introduced CVE regressions due to outdated elasticsearch components. Druid-ranger-plugin does not elasticsearch components , and they have been explicitly removed. Update woodstox-core to 6.4.0 to address GHSA-3f7h-mf4q-vrm4
Configuration menu - View commit details
-
Copy full SHA for eefbad1 - Browse repository at this point
Copy the full SHA eefbad1View commit details -
update few minor dependencies to resolve CVEs (apache#15464)
Update multiple dependencies to clear CVEs Update dropwizard-metrics to 4.2.22 to address GHSA-mm8h-8587-p46h in com.rabbitmq:amqp-client Update ant to 1.10.14 to resolve GHSA-f62v-xpxf-3v68 GHSA-4p6w-m9wc-c9c9 GHSA-q5r4-cfpx-h6fh GHSA-5v34-g2px-j4fw Update comomons-compress to resolve GHSA-cgwf-w82q-5jrr Update jose4j to 0.9.3 to resolve GHSA-7g24-qg88-p43q GHSA-jgvc-jfgh-rjvv Update kotlin-stdlib to 1.6.0 to resolve GHSA-cqj8-47ch-rvvq and CVE-2022-24329
Configuration menu - View commit details
-
Copy full SHA for 1307513 - Browse repository at this point
Copy the full SHA 1307513View commit details -
Configuration menu - View commit details
-
Copy full SHA for 803a521 - Browse repository at this point
Copy the full SHA 803a521View commit details -
update guava to 32.0.1-jre to address CVEs (apache#15482)
Update guava to 32.0.1-jre to address two CVEs: CVE-2020-8908, CVE-2023-2976 This change requires a minor test change to remove assumptions about ordering. --------- Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
Configuration menu - View commit details
-
Copy full SHA for 8cca716 - Browse repository at this point
Copy the full SHA 8cca716View commit details -
remove licenses of removed libraries, update the license checker (apa…
…che#15446) - Licenses file contains several licenses for outdated libraries. In this PR we remove licenses for no longer used components. This change is purely cosmetic / cleans up the license database. The candidates were designated by reviewing the output of the license check script and comparing it against the depdency tree. - Minor fix to license check tool to fail more gracefully when the license of used dependency is not listed as known, as well as fix not to fail on multi licensed components when at least one of the licenses is accepted. --------- Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
Configuration menu - View commit details
-
Copy full SHA for e0fc49a - Browse repository at this point
Copy the full SHA e0fc49aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 5f565cc - Browse repository at this point
Copy the full SHA 5f565ccView commit details -
Upgrade Jackson and Google GSON to address CVEs (apache#15461)
Upgrade Jackson to version 2.12.7.1 to address CVE-2022-42003, CVE-2022-42004 which affects jackson-databind. Upgrade com.google.code.gson:gson from 2.2.4 to the latest version (2.10.1) since 2.2.4 is affected by CVE-2022-25647.
Configuration menu - View commit details
-
Copy full SHA for 4af512c - Browse repository at this point
Copy the full SHA 4af512cView commit details -
ranger-security: exclude jackson-jaxrs from + fix outdated documentat…
…ion (apache#15481) * Excluding jackson-jaxrs dependency from ranger-plugin-common to address CVE regression introduced by ranger-upgrade: CVE-2019-10202, CVE-2019-10172 * remove the reference to outdated ranger 2.0 from the docs --------- Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
Configuration menu - View commit details
-
Copy full SHA for 6412199 - Browse repository at this point
Copy the full SHA 6412199View commit details -
add gson to dependencyManagement (apache#15488)
This change completes the change introduced in apache#15461 and unifies the version of gson dependency used between all the modules. gson is used by kubernetes-extension, avro-extensions, ranger-security, and as a test dependency in several core modules. --------- Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
Configuration menu - View commit details
-
Copy full SHA for 89b89b3 - Browse repository at this point
Copy the full SHA 89b89b3View commit details -
update kubernetes java client to 19.0.0 and docker-java to 3.3.4 (apa…
…che#15449) Update of direct dependencies: * kubernetes java-client to 19.0.0 * docker-java-bom to 3.3.4 In order to update transitive dependencies: * okio to 3.6.0 * bcjava to 1.76 To address CVES: - CVE-2023-3635 in okio - CVE-2023-33201 in bcjava --------- Co-authored-by: Xavier Léauté <xvrl@apache.org>
Configuration menu - View commit details
-
Copy full SHA for 634c186 - Browse repository at this point
Copy the full SHA 634c186View commit details -
Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (apache#15522)
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
Configuration menu - View commit details
-
Copy full SHA for 01f7579 - Browse repository at this point
Copy the full SHA 01f7579View commit details -
unpin snakeyaml, add suppressions and licenses (apache#15549)
* unpin snakeyaml globally, add suppressions and licenses * pin snakeyaml in the specific modules that require version 1.x, update licenses and owasp suppression This removes the pin of the Snakeyaml introduced in: apache#14519 After the updates of io.kubernetes.java-client and io.confluent.kafka-clients, the only uses of the Snakeyaml 1.x are: - in test scope, transitive dependency of jackson-dataformat-yaml:jar:2.12.7 - in compile scope in contrib extension druid-cassandra-storage - in compile scope in it-tests. With the dependency version un-pinned, io.kubernetes.java-client and io.confluent.kafka-clients bring Snakeyaml versions 2.0 and 2.2, consequently allowing to build a Druid distribution without the contrib-extension and free of vulnerable Snakeyaml versions.
Configuration menu - View commit details
-
Copy full SHA for 5de0f76 - Browse repository at this point
Copy the full SHA 5de0f76View commit details -
Configuration menu - View commit details
-
Copy full SHA for 1f289c9 - Browse repository at this point
Copy the full SHA 1f289c9View commit details