[Backport 2.x] Bump up commons-compress to 1.26.1 to fix CVE

[sandeshkr419]

Manual Backport #12627 to 2.x since auto-backport failed.

---

Description

Backports #12627 to 2.x

Related Issues

Resolves CVE-2024-26308
Resolves CVE-2024-25710

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Failing checks are inspected and point to the corresponding known issue(s) (See: Troubleshooting Failing Builds)
• Commits are signed per the DCO using --signoff
• Commit changes are listed out in CHANGELOG.md file (See: Changelog)
• Public documentation issue/PR created

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

Compatibility status:

Checks if related components are compatible with change 700c742

Incompatible components

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/flow-framework.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/performance-analyzer.git]

[github-actions]

❕ Gradle check result for 700c742: UNSTABLE

• TEST FAILURES:

      1 org.opensearch.cluster.coordination.AwarenessAttributeDecommissionIT.testConcurrentDecommissionAction

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 71.13%. Comparing base (0dd892c) to head (700c742).
Report is 114 commits behind head on 2.x.

Additional details and impacted files

@@             Coverage Diff              @@
##                2.x   #13068      +/-   ##
============================================
- Coverage     71.28%   71.13%   -0.16%     
- Complexity    60145    60461     +316     
============================================
  Files          4957     4995      +38     
  Lines        282799   284821    +2022     
  Branches      41409    41617     +208     
============================================
+ Hits         201591   202600    +1009     
- Misses        64189    65085     +896     
- Partials      17019    17136     +117     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[opensearch-trigger-bot]

The backport to 2.13 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-2.13 2.13
# Navigate to the new working tree
pushd ../.worktrees/backport-2.13
# Create a new branch
git switch --create backport/backport-13068-to-2.13
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 c658ad75486e55cdc251ad21225e7fa592c36b98
# Push it to GitHub
git push --set-upstream origin backport/backport-13068-to-2.13
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-2.13

Then, create a pull request where the base branch is 2.13 and the compare/head branch is backport/backport-13068-to-2.13.

[sandeshkr419]

@peternied any reason for adding 2.13 backport label? We already released 2.13 so this change will only go to 2.x (2.14 to be cut in future), right?

@bbarani @gaiksaya Any comments?

[bbarani]

Security fixes can still be backported to 2.13 release branch so it gets picked up if we decide to do 2.13.1 release but we are not planning to release 2.13.1 at this point in time.

We always try to be ready for a possible patch version release once a minor is released.

[sandeshkr419]

Ohh okay, let me raise a manual backport then since the trigger-bot could not fix in conflicts.

[peternied]

@sandeshkr419 @bbarani We've gotten a report about CVE [1] present in 2.13.0. It looks like there has been back and forth between the reporting agency and the library owner categorizing one of these issues as HIGH. I've created a manual backport [2] for 2.13 so we are ready to pull the trigger on this fix to be included with the next patch release.

• [1] [Backport 2.x] Bump up commons-compress to 1.26.1 to fix CVE  #13068
• [2] [Backport 2.13] Bump up commons-compress to 1.26.1 to fix CVE #13151

FYI @kkhatua @cwperks