Skip to content

Commit

Permalink
Upgrade dependencies
Browse files Browse the repository at this point in the history
  • Loading branch information
@kaklakariada
kaklakariada committed Nov 20, 2024
1 parent efab4dd commit 54ede58
Show file tree
Hide file tree
Showing 3 changed files with 77 additions and 32 deletions.
6 changes: 3 additions & 3 deletions dependencies.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

57 changes: 51 additions & 6 deletions doc/changes/changes_2.8.4.md
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,69 @@
# Cloud Storage Extension 2.8.4, released 2024-??-??
# Cloud Storage Extension 2.8.4, released 2024-11-20

Code name:
Code name: Fix vulnerabilities CVE-2024-23454 & CVE-2024-47561 & CVE-2024-47554 & CVE-2024-51504 & CVE-2024-47535

## Summary

## Features
This release fixes the following vulnerabilities in dependencies:
* CVE-2024-23454 in `org.apache.hadoop:hadoop-common:jar:3.3.6:compile`
* CVE-2024-47561 in `org.apache.avro:avro:jar:1.11.3:compile`
* CVE-2024-47554 in `commons-io:commons-io:jar:2.8.0:compile`
* CVE-2024-51504 in `org.apache.zookeeper:zookeeper:jar:3.9.2:compile`
* CVE-2024-47535 in `io.netty:netty-common:jar:4.1.112.Final:compile`

* ISSUE_NUMBER: description
## Security

* #327: Fixed CVE-2024-23454 in `org.apache.hadoop:hadoop-common:jar:3.3.6:compile`
* #329: Fixed CVE-2024-47561 in `org.apache.avro:avro:jar:1.11.3:compile`
* #330: Fixed CVE-2024-47554 in `commons-io:commons-io:jar:2.8.0:compile`
* #333: Fixed CVE-2024-51504 in `org.apache.zookeeper:zookeeper:jar:3.9.2:compile`
* #334: Fixed CVE-2024-47535 in `io.netty:netty-common:jar:4.1.112.Final:compile`

## Dependency Updates

### Cloud Storage Extension

#### Compile Dependency Updates

* Added `commons-io:commons-io:2.17.0`
* Updated `com.exasol:parquet-io-java:2.0.10` to `2.0.12`
* Updated `com.github.mwiede:jsch:0.2.18` to `0.2.21`
* Updated `com.google.guava:guava:33.2.1-jre` to `33.3.1-jre`
* Updated `com.nimbusds:nimbus-jose-jwt:9.40` to `9.47`
* Added `commons-io:commons-io:2.18.0`
* Updated `dnsjava:dnsjava:3.6.1` to `3.6.2`
* Updated `io.dropwizard.metrics:metrics-core:4.2.26` to `4.2.28`
* Updated `io.netty:netty-codec-http2:4.1.112.Final` to `4.1.115.Final`
* Updated `org.apache.avro:avro:1.11.3` to `1.11.4`
* Updated `org.apache.avro:avro:1.11.3` to `1.12.0`
* Updated `org.apache.commons:commons-compress:1.26.2` to `1.27.1`
* Updated `org.apache.commons:commons-lang3:3.15.0` to `3.17.0`
* Updated `org.apache.logging.log4j:log4j-1.2-api:2.23.1` to `2.24.1`
* Updated `org.apache.logging.log4j:log4j-api:2.23.1` to `2.24.1`
* Updated `org.apache.logging.log4j:log4j-core:2.23.1` to `2.24.1`
* Updated `org.apache.orc:orc-core:1.9.4` to `1.9.5`
* Updated `org.apache.zookeeper:zookeeper:3.9.2` to `3.9.3`
* Added `org.codehaus.janino:janino:3.1.12`
* Updated `org.glassfish.jersey.containers:jersey-container-servlet-core:2.43` to `2.45`
* Updated `org.glassfish.jersey.containers:jersey-container-servlet:2.43` to `2.45`
* Updated `org.glassfish.jersey.core:jersey-client:2.43` to `2.45`
* Updated `org.glassfish.jersey.core:jersey-common:2.43` to `2.45`
* Updated `org.glassfish.jersey.core:jersey-server:2.43` to `2.45`
* Updated `org.glassfish.jersey.inject:jersey-hk2:2.43` to `2.45`
* Updated `org.slf4j:jul-to-slf4j:2.0.13` to `2.0.16`
* Updated `org.xerial.snappy:snappy-java:1.1.10.5` to `1.1.10.7`

#### Runtime Dependency Updates

* Updated `ch.qos.logback:logback-classic:1.5.6` to `1.5.12`
* Updated `ch.qos.logback:logback-core:1.5.6` to `1.5.12`

#### Test Dependency Updates

* Updated `com.exasol:extension-manager-integration-test-java:0.5.12` to `0.5.13`
* Updated `nl.jqno.equalsverifier:equalsverifier:3.16.1` to `3.17.3`
* Updated `org.hamcrest:hamcrest:2.2` to `3.0`
* Added `org.junit.jupiter:junit-jupiter-api:5.10.3`
* Removed `org.junit.jupiter:junit-jupiter-engine:5.10.3`
* Updated `org.testcontainers:localstack:1.20.0` to `1.20.3`

#### Plugin Dependency Updates

Expand Down
46 changes: 23 additions & 23 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@
<scala.version>2.13.11</scala.version>
<scala.compat.version>2.13</scala.compat.version>
<hadoop.version>3.3.6</hadoop.version>
<jersey.version>2.43</jersey.version>
<log4j.version>2.23.1</log4j.version>
<logback.version>1.5.6</logback.version>
<jersey.version>2.45</jersey.version>
<log4j.version>2.24.1</log4j.version>
<logback.version>1.5.12</logback.version>
<sonar.sources>src/main/,extension/src/</sonar.sources>
<sonar.exclusions>extension/src/*.test.ts</sonar.exclusions>
<sonar.tests>src/test/,extension/src</sonar.tests>
Expand All @@ -35,7 +35,7 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.15.0</version>
<version>3.17.0</version>
</dependency>
<dependency>
<!-- Upgraded to fix CVE-2024-29131 and CVE-2024-29133 -->
Expand All @@ -52,7 +52,7 @@
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>33.2.1-jre</version>
<version>33.3.1-jre</version>
</dependency>
<dependency>
<!-- Upgrading this will cause failing integration tests -->
Expand All @@ -69,7 +69,7 @@
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>1.1.10.5</version>
<version>1.1.10.7</version>
</dependency>
<dependency>
<groupId>com.exasol</groupId>
Expand Down Expand Up @@ -191,19 +191,19 @@
<!-- Override version from org.apache.hadoop:hadoop-common to fix CVE-2024-47554 -->
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.17.0</version>
<version>2.18.0</version>
</dependency>
<dependency>
<!-- Override version 2.1.7 from org.apache.hadoop:hadoop-common to fix CVE-2023-33546-->
<artifactId>dnsjava</artifactId>
<groupId>dnsjava</groupId>
<version>3.6.1</version>
<version>3.6.2</version>
</dependency>
<dependency>
<!-- Replacement for deprecated com.jcraft:jsch from org.apache.hadoop:hadoop-common -->
<groupId>com.github.mwiede</groupId>
<artifactId>jsch</artifactId>
<version>0.2.18</version>
<version>0.2.21</version>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
Expand Down Expand Up @@ -409,7 +409,7 @@
<dependency>
<groupId>io.dropwizard.metrics</groupId>
<artifactId>metrics-core</artifactId>
<version>4.2.26</version>
<version>4.2.28</version>
</dependency>
<dependency>
<!-- Explicitly upgrade transitive dependency of gcs-connector to fix CVE-2024-7254 -->
Expand All @@ -431,7 +431,7 @@
<dependency>
<groupId>org.apache.orc</groupId>
<artifactId>orc-core</artifactId>
<version>1.9.4</version>
<version>1.9.5</version>
<exclusions>
<!-- exluded because of duplicate-finder-maven-plugin -->
<exclusion>
Expand All @@ -455,9 +455,9 @@
<!-- Update transitive dependency of org.apache.spark:spark-core to fix CVE-2024-47561 -->
<groupId>org.apache.avro</groupId>
<artifactId>avro</artifactId>
<version>1.11.4</version>
<version>1.12.0</version>
<exclusions>
<!-- exluded because of duplicate-finder-maven-plugin -->
<!-- excluded because of duplicate-finder-maven-plugin -->
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
Expand All @@ -472,13 +472,13 @@
<!-- Upgrade transitive dependency of org.apache.avro:avro to fix CVE-2024-26308 -->
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.26.2</version>
<version>1.27.1</version>
</dependency>
<dependency>
<!-- Pinned to fix CVE-2023-52428 -->
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>9.40</version>
<version>9.47</version>
</dependency>
<dependency>
<groupId>io.delta</groupId>
Expand Down Expand Up @@ -562,12 +562,12 @@
<dependency>
<groupId>com.exasol</groupId>
<artifactId>parquet-io-java</artifactId>
<version>2.0.10</version>
<version>2.0.12</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jul-to-slf4j</artifactId>
<version>2.0.13</version>
<version>2.0.16</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
Expand Down Expand Up @@ -611,7 +611,7 @@
<dependency>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest</artifactId>
<version>2.2</version>
<version>3.0</version>
<scope>test</scope>
</dependency>
<dependency>
Expand All @@ -623,7 +623,7 @@
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>localstack</artifactId>
<version>1.20.0</version>
<version>1.20.3</version>
<scope>test</scope>
</dependency>
<dependency>
Expand All @@ -647,12 +647,12 @@
<dependency>
<groupId>nl.jqno.equalsverifier</groupId>
<artifactId>equalsverifier</artifactId>
<version>3.16.1</version>
<version>3.17.3</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<artifactId>junit-jupiter-api</artifactId>
<version>5.10.3</version>
<scope>test</scope>
</dependency>
Expand All @@ -665,7 +665,7 @@
<dependency>
<groupId>com.exasol</groupId>
<artifactId>extension-manager-integration-test-java</artifactId>
<version>0.5.12</version>
<version>0.5.13</version>
<scope>test</scope>
</dependency>
<dependency>
Expand Down Expand Up @@ -786,7 +786,7 @@
<javacArg>${java.version}</javacArg>
<javacArg>-deprecation</javacArg>
<javacArg>-parameters</javacArg>
<javacArg>-Xlint:all</javacArg>
<javacArg>-Xlint:all,-path</javacArg>
</javacArgs>
<jvmArgs>
<jvmArg>-Xmx2048m</jvmArg>
Expand Down

0 comments on commit 54ede58

Please sign in to comment.