Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DNR] Upgraded version : io.netty:netty-common:4.1.115.Final #24175

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

[DNR] Upgraded version : io.netty:netty-common:4.1.115.Final #24175

wants to merge 1 commit into from

Conversation

imsayari404
Copy link
Contributor

@imsayari404 imsayari404 commented Dec 1, 2024
edited
Loading

Description

2 Medium cve got resolved

Motivation and Context

About CVE-2024-47535

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

Impact

2 Medium cve got resolved.

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Fix security vulnerability in  io.netty:netty-common:jar:4.1.115.Final jar in response to 'CVE-2024-47535 <https://www.mend.io/vulnerability-database/CVE-2024-47535>' :pr:`#24175`

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Dec 1, 2024
@prestodb-ci prestodb-ci requested review from a team, pdabre12 and psnv03 and removed request for a team December 1, 2024 09:34
@imsayari404 imsayari404 marked this pull request as ready for review December 1, 2024 10:42
@imsayari404 imsayari404 requested a review from a team as a code owner December 1, 2024 10:42
@imsayari404 imsayari404 closed this Dec 1, 2024
@imsayari404 imsayari404 reopened this Dec 1, 2024
@imsayari404 imsayari404 force-pushed the netty-common branch 2 times, most recently from 71ba04c to 4f3db76 Compare December 2, 2024 03:22
agrawalreetika
agrawalreetika reviewed Dec 2, 2024
View reviewed changes
Copy link
Member

@agrawalreetika agrawalreetika left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see most of the drift dependencies are at 4.1.107.Final which is getting set from https://github.com/prestodb/drift/blob/master/pom.xml

I think it would be better to handle these dependencies version from shaded jar? It would help resolving CVEs for all the related dependency instead of handling it here for each artifect.

@imsayari404
Copy link
Contributor Author

I see most of the drift dependencies are at 4.1.107.Final which is getting set from https://github.com/prestodb/drift/blob/master/pom.xml

I think it would be better to handle these dependencies version from shaded jar? It would help resolving CVEs for all the related dependency instead of handling it here for each artifect.

Thanks for the suggestion @agrawalreetika , I noticed that most of the Drift dependencies are set to 4.1.107.Final as per the Drift pom.xml. I agree that managing versions through a shaded JAR is a good approach for better dependency management, particularly for resolving CVEs and preventing version conflicts. I'll proceed with the changes as you suggested.

@agrawalreetika
Copy link
Member

@tdcmeehan What are your thoughts around this, resolving drift related cves directly in the shaded jar?

@tdcmeehan
Copy link
Contributor

Can you help me understand how a shaded JAR will help? Why not just update the version within Drift without shading?

@agrawalreetika
Copy link
Member

agrawalreetika commented Dec 2, 2024
edited
Loading

Can you help me understand how a shaded JAR will help? Why not just update the version within Drift without shading?

I am sorry, my mistake. I mean updating the drift dependency in drift repo and updating its version in presto pom. Instead of directly updating those drift dependency in Presto directly.
Sorry about the confusion.

@tdcmeehan
Copy link
Contributor

Oh, then agreed--let's fix it in Drift first.

@agrawalreetika agrawalreetika changed the title Upgraded version : io.netty:netty-common:4.1.115.Final [DNR] Upgraded version : io.netty:netty-common:4.1.115.Final Dec 6, 2024
@imsayari404 imsayari404 force-pushed the netty-common branch 8 times, most recently from 8f51165 to e41dcb4 Compare December 9, 2024 09:45
@imsayari404 imsayari404 requested a review from elharo as a code owner December 9, 2024 10:10
@imsayari404 imsayari404 marked this pull request as draft December 9, 2024 12:50
@imsayari404 imsayari404 force-pushed the netty-common branch 9 times, most recently from 1148d06 to b748d3a Compare December 12, 2024 08:42
@imsayari404
Updating drift version to 1.40-SNAPSHOT
1eb1e58 
-prestodb/drift pr : prestodb/drift#54
-Resolved presto-druid module error
-Resolving issues related to maven checks
-Ignored Specific duplicate resouces explicitly related to com/github/rvesse/airline/core.version
-Fix: Replace deprecated io.netty:netty with io.netty:netty-all version 4.1.115.Final
@imsayari404 imsayari404 mentioned this pull request Dec 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agrawalreetika agrawalreetika agrawalreetika left review comments

@pdabre12 pdabre12 Awaiting requested review from pdabre12 pdabre12 was automatically assigned from prestodb/ibm-reviewers

@psnv03 psnv03 Awaiting requested review from psnv03 psnv03 was automatically assigned from prestodb/ibm-reviewers

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

@elharo elharo Awaiting requested review from elharo elharo is a code owner

@jaystarshot jaystarshot Awaiting requested review from jaystarshot jaystarshot will be requested when the pull request is marked ready for review jaystarshot is a code owner

@hantangwangd hantangwangd Awaiting requested review from hantangwangd hantangwangd will be requested when the pull request is marked ready for review hantangwangd is a code owner

@ZacBlanco ZacBlanco Awaiting requested review from ZacBlanco ZacBlanco will be requested when the pull request is marked ready for review ZacBlanco is a code owner

@vinothchandar vinothchandar Awaiting requested review from vinothchandar vinothchandar will be requested when the pull request is marked ready for review vinothchandar is a code owner

@7c00 7c00 Awaiting requested review from 7c00 7c00 will be requested when the pull request is marked ready for review 7c00 is a code owner

@feilong-liu feilong-liu Awaiting requested review from feilong-liu feilong-liu will be requested when the pull request is marked ready for review feilong-liu is a code owner

@ClarenceThreepwood ClarenceThreepwood Awaiting requested review from ClarenceThreepwood ClarenceThreepwood will be requested when the pull request is marked ready for review ClarenceThreepwood is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
from:IBM PR from IBM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@imsayari404 @agrawalreetika @tdcmeehan @prestodb-ci