Address CVE-2022-42889 by updating commons-text

[reta]

Signed-off-by: Andriy Redko [email protected]

Description

Address CVE-2022-42889 by updating commons-text

Issues Resolved

Closes #485

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[ylwu-amzn]

3.0 has breaking change so CI build failed. This change LGTM. Will approve and merge.

[ylwu-amzn]

@reta should we backport to 2.x?

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-487-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 479f178f4170cf3d01588f9aec72259fcba6ade6
# Push it to GitHub
git push --set-upstream origin backport/backport-487-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-487-to-2.x.

[reta]

@reta should we backport to 2.x?

Yes, I will take of that, thanks @ylwu-amzn

[Ayril]

Thanks for addressing this so quickly @reta!

Would it be possible to have this backported to 1.x as well? If I understand correctly the 1 major version is still within its maintenance window and addressing CVE-2022-42889 (9.8 score CVE) is probably a suitable security patch to want backported.

[reta]

Would it be possible to have this backported to 1.x as well?

@Ayril sure, will do that shortly, thank you

[nslokesh]

@reta For better clarity, from which version of 1.x these fixes are available and when it be released?

[reta]

@reta For better clarity, from which version of 1.x these fixes are available and when it be released?

@nslokesh that would be question to maintainers, @jngz-es could you spot some light please?

[opensearch-trigger-bot]

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.3 1.3
# Navigate to the new working tree
cd .worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-487-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 479f178f4170cf3d01588f9aec72259fcba6ade6
# Push it to GitHub
git push --set-upstream origin backport/backport-487-to-1.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-487-to-1.3.

[Zhangxunmt]

Manually backported to 1.3. #520.

[Zhangxunmt]

from OS 1.3.7, these fixes are available and it will be released when 1.3.7 is released. @nslokesh