Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Upgrade Guava to 32.0.0 to address CVE-2023-2976 #20459

Merged
merged 1 commit into from
Jun 1, 2023
Merged

[fix][sec] Upgrade Guava to 32.0.0 to address CVE-2023-2976 #20459

merged 1 commit into from
Jun 1, 2023

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Jun 1, 2023
edited

Motivation & Modifications

Upgrade Guava to 32.0.0 to address CVE-2023-2976

More details in Guava 32.0.0 release notes: https://github.com/google/guava/releases/tag/v32.0.0

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Jun 1, 2023
@lhotari lhotari changed the title [fix][security] Upgrade Guava to 32.0.0 to address CVE-2023-2976 [fix][sec] Upgrade Guava to 32.0.0 to address CVE-2023-2976 Jun 1, 2023
tisonkun
tisonkun reviewed Jun 1, 2023
View reviewed changes
buildtools/pom.xml
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lhotari Can you attach a description of CVE-2023-2976? I don't find it on any advisory now.

Also, cross-post Guava 32.0.0 release note - https://github.com/google/guava/releases/tag/v32.0.0

It can introduce some imcompability changes while with a quick glance I don't think it would affect our usage.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks. The CVE seems to be in the pipeline. There was a comment here: google/guava#2575 (comment)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks. The CVE seems to be in the pipeline. There was a comment here: google/guava#2575 (comment)

It will be available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976 when it has been published.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

similar as CVE-2020-8908

@lhotari
Copy link
Member Author

lhotari commented Jun 1, 2023

/pulsarbot rerun-failure-checks

@lhotari lhotari requested a review from tisonkun June 1, 2023 17:15
tisonkun
tisonkun approved these changes Jun 1, 2023
View reviewed changes
Copy link
Member

@tisonkun tisonkun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@lhotari lhotari merged commit 57f9467 into apache:master Jun 1, 2023
44 checks passed
lhotari added a commit that referenced this pull request Jun 2, 2023
@lhotari
[fix][sec] Upgrade Guava to 32.0.0 to address CVE-2023-2976 (#20459)
212a482 
(cherry picked from commit 57f9467)

# Conflicts:
#	pom.xml
#	pulsar-sql/presto-distribution/LICENSE
lhotari added a commit that referenced this pull request Jun 6, 2023
@lhotari
[fix][sec] Upgrade Guava to 32.0.0 to address CVE-2023-2976 (#20459)
6321038 
(cherry picked from commit 57f9467)

# Conflicts:
#	distribution/server/src/assemble/LICENSE.bin.txt
#	pom.xml
#	pulsar-sql/presto-distribution/LICENSE
lhotari added a commit that referenced this pull request Jun 6, 2023
@lhotari
[fix][sec] Upgrade Guava to 32.0.0 to address CVE-2023-2976 (#20459)
1cc99b3 
(cherry picked from commit 57f9467)

# Conflicts:
#	pom.xml
#	pulsar-sql/presto-distribution/LICENSE
nicoloboschi pushed a commit to datastax/pulsar that referenced this pull request Jun 6, 2023
@lhotari @nicoloboschi
[fix][sec] Upgrade Guava to 32.0.0 to address CVE-2023-2976 (apache#2…
a27da8d 
…0459)

(cherry picked from commit 57f9467)

(cherry picked from commit 1cc99b3)
@poorbarcode poorbarcode mentioned this pull request Jun 30, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tisonkun tisonkun tisonkun approved these changes

@michaeljmarshall michaeljmarshall michaeljmarshall approved these changes

@nicoloboschi nicoloboschi Awaiting requested review from nicoloboschi

Assignees
No one assigned
Labels
area/security cherry-picked/branch-2.10 cherry-picked/branch-2.11 cherry-picked/branch-3.0 doc-not-needed Your PR changes do not impact docs ready-to-test release/2.10.5 release/2.11.2 release/3.0.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@lhotari @tisonkun @michaeljmarshall