Security Fix: Okio CVE-2023-3635 + OkHttp Jar Update #24473
Conversation
Mariamalmesfer
force-pushed
the
okie-fix-test
branch
3 times, most recently
from
bf152d0 to
3ff2d81
Compare
Mariamalmesfer
changed the title
Mariamalmesfer
force-pushed
the
okie-fix-test
branch
from
3ff2d81 to
d4f668d
Compare
|
Thanks for the release note! New release note guidelines: as of last week PR #24354 automatically adds links to this PR to the release notes. Please remove the manual PR link in the following format from the release note entries for this PR. I have updated the Release Notes Guidelines to remove the examples of manually adding the PR link. |
Mariamalmesfer
force-pushed
the
okie-fix-test
branch
2 times, most recently
from
eceb4b9 to
ff135ba
Compare
presto-client/src/main/java/com/facebook/presto/client/Dummy.java
Outdated
Show resolved
Hide resolved
| <relocation> | ||
| <pattern>org.jetbrains.annotations</pattern> | ||
| <shadedPattern>${shadeBase}.org.jetbrains.annotations</shadedPattern> | ||
| </relocation> |
There was a problem hiding this comment.
@arhimondr Can you confirm that this is the correct shading you mentioned in this comment: https://github.com/prestodb/presto/pull/23796/files#r1935889125
There was a problem hiding this comment.
We need to move kotlin.. Basically try to open the generated jar in the CLI and see if there are any classes outside of the com.facebook.presto package
There was a problem hiding this comment.
@arhimondr Checked the generated jar and found classes in kotlin/, jvmMain/okio/, and commonMain/okio/ outside the com.facebook.presto package. Added relocations for these. Can you check if this is correct?
Mariamalmesfer
force-pushed
the
okie-fix-test
branch
from
ff135ba to
0dfd226
Compare
| <configuration> | ||
| <ignoredUnusedDeclaredDependencies> | ||
| <!-- This is needed to keep Okio in the build and prevent conflicts with OkHttp and Kotlin dependencies. --> | ||
| <ignoredUnusedDeclaredDependency>com.squareup.okio:okio-jvm</ignoredUnusedDeclaredDependency> |
There was a problem hiding this comment.
Nice. This is better than a Dummy hack :-)
| <relocation> | ||
| <pattern>org.jetbrains.annotations</pattern> | ||
| <shadedPattern>${shadeBase}.org.jetbrains.annotations</shadedPattern> | ||
| </relocation> |
There was a problem hiding this comment.
We need to move kotlin.. Basically try to open the generated jar in the CLI and see if there are any classes outside of the com.facebook.presto package
Mariamalmesfer
force-pushed
the
okie-fix-test
branch
3 times, most recently
from
c1c793c to
2a42688
Compare
… 4.12.0 to address CVE-2023-3635.
Mariamalmesfer
force-pushed
the
okie-fix-test
branch
from
2a42688 to
9e08525
Compare
| <relocation> | ||
| <pattern>org.jetbrains.annotations</pattern> | ||
| <shadedPattern>${shadeBase}.org.jetbrains.annotations</shadedPattern> | ||
| </relocation> |
Description
This PR fixes the Okio security vulnerability (CVE-2023-3635) by upgrading from version 1.17.2 to 3.6.0. It also includes an update to the OkHttp jar from 3.9.0 to 4.12.0
Motivation and Context
A flaw was found in Okio’s GzipSource class that doesn’t handle exceptions properly, allowing potential Denial of Service (DoS) attacks with malformed files.
CVE-2023-3635: Details
Impact
Image Scan showed the vulnerability have been removed.
correlation-report-ibm-lh-presto-okie check.csv
Test Plan
Contributor checklist
Release Notes
Please follow release notes guidelines and fill in the release notes below.