Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport 2.8] Resolve CVE-2023-2976 by forcing use of Guava 32.0.1 (#2937) #2975

Closed
wants to merge 3 commits into from
Closed

[Backport 2.8] Resolve CVE-2023-2976 by forcing use of Guava 32.0.1 (#2937) #2975

wants to merge 3 commits into from

Conversation

DarshitChanpura
Copy link
Member

Backports #2937

Check List

- [ ] New functionality includes testing
- [ ] New functionality has been documented

  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@stephen-crawford @DarshitChanpura
Force 32... (opensearch-project#2937)
2b98043 
Signed-off-by: Stephen Crawford <[email protected]>
(cherry picked from commit 8ab7cb4)
Signed-off-by: Darshit Chanpura <[email protected]>
willyborankin
willyborankin previously approved these changes Jul 10, 2023
View reviewed changes
@DarshitChanpura
Resolve bunch of dependency CVEs
3c436a3 
Signed-off-by: Darshit Chanpura <[email protected]>
@codecov
Copy link

codecov bot commented Jul 10, 2023
edited
Loading

Codecov Report

Merging #2975 (3393155) into 2.8 (c1b0f8c) will decrease coverage by 0.07%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##                2.8    #2975      +/-   ##
============================================
- Coverage     61.53%   61.46%   -0.07%     
+ Complexity     3386     3380       -6     
============================================
  Files           264      264              
  Lines         18665    18665              
  Branches       3288     3288              
============================================
- Hits          11485    11472      -13     
- Misses         5597     5605       +8     
- Partials       1583     1588       +5

see 5 files with indirect coverage changes

peternied
peternied reviewed Jul 11, 2023
View reviewed changes
build.gradle Outdated
@@ -285,17 +285,20 @@ configurations.all {
force "io.netty:netty-transport:${versions.netty}"
force "io.netty:netty-transport-native-unix-common:${versions.netty}"
force "org.apache.bcel:bcel:6.6.0" // This line should be removed once Spotbugs is upgraded to 4.7.4
force "com.github.luben:zstd-jni:${versions.zstd}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could not resolve com.github.luben:zstd-jni:null.

Copy link
Collaborator

@willyborankin willyborankin Jul 11, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm I think for 2.x it needs to be 1.5.5-3. Since versions.zstd comes with 2.9 version. So after 2.9 has been released we can use it in 2.x or I'm missing something

Copy link
Collaborator

@willyborankin willyborankin Jul 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, sorry for the misleading comment. I did not notice that it is for 2.8 version. The version of ZSTD should stay the same in this case.
ZSTD 1.5.5-3 was merged in OS main branch and I hope will be released in 2.9 and before that sec plugin uses its own. To avoid regressions lets leave it as is.

@DarshitChanpura
Fixes build.gradle
3393155 
Signed-off-by: Darshit Chanpura <[email protected]>
@davidlago
Copy link

No longer needed as 2.9 is about to be released.

@davidlago davidlago closed this Jul 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peternied peternied peternied left review comments

@willyborankin willyborankin willyborankin left review comments

@stephen-crawford stephen-crawford stephen-crawford left review comments

@cliu123 cliu123 Awaiting requested review from cliu123 cliu123 is a code owner

@cwperks cwperks Awaiting requested review from cwperks cwperks is a code owner

@davidlago davidlago Awaiting requested review from davidlago

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@DarshitChanpura @davidlago @willyborankin @peternied @stephen-crawford