Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 #23394

Merged
merged 1 commit into from
Oct 3, 2024
Merged

[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 #23394

merged 1 commit into from
Oct 3, 2024

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Oct 3, 2024
edited
Loading

Motivation

Avro 1.11.3 contains critical 9.3/10 level RCE vulnerability in Avro Java SDK <1.11.4, CVE-2024-47561

Modifications

Upgrade Avro to 1.11.4 to address the issue.

Additional Context

Dev mailing list discussion (contains information about release plan)
Users mailing list discussion

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari lhotari added area/security release/blocker Indicate the PR or issue that should block the release until it gets resolved release/3.0.7 release/3.3.2 labels Oct 3, 2024
@lhotari lhotari added this to the 4.0.0 milestone Oct 3, 2024
@lhotari lhotari self-assigned this Oct 3, 2024
@lhotari lhotari requested a review from merlimat October 3, 2024 20:40
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Oct 3, 2024
@codecov-commenter
Copy link

codecov-commenter commented Oct 3, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.53%. Comparing base (bbc6224) to head (49fea39).
Report is 631 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #23394      +/-   ##
============================================
+ Coverage     73.57%   74.53%   +0.95%     
- Complexity    32624    34023    +1399     
============================================
  Files          1877     1936      +59     
  Lines        139502   145365    +5863     
  Branches      15299    15893     +594     
============================================
+ Hits         102638   108346    +5708     
+ Misses        28908    28707     -201     
- Partials       7956     8312     +356
Flag Coverage Δ
inttests 27.73% <ø> (+3.14%) ⬆️
systests 24.50% <ø> (+0.17%) ⬆️
unittests 73.87% <ø> (+1.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 610 files with indirect coverage changes

@merlimat merlimat merged commit fad6761 into apache:master Oct 3, 2024
64 of 66 checks passed
merlimat pushed a commit that referenced this pull request Oct 3, 2024
@lhotari @merlimat
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (#23394)
d4aa14d
merlimat pushed a commit that referenced this pull request Oct 3, 2024
@lhotari @merlimat
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (#23394)
1d2fc73
lhotari added a commit that referenced this pull request Oct 4, 2024
@lhotari
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (#23394)
430a9e8 
(cherry picked from commit fad6761)
lhotari added a commit that referenced this pull request Oct 4, 2024
@lhotari
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (#23394)
265e987 
(cherry picked from commit fad6761)
lhotari added a commit that referenced this pull request Oct 4, 2024
@lhotari
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (#23394)
0b39f58 
(cherry picked from commit fad6761)
lhotari added a commit that referenced this pull request Oct 4, 2024
@lhotari
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (#23394)
fd7e0b4
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Oct 4, 2024
@lhotari @nikhil-ctds
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (apache#2…
2c9c897 
…3394)

(cherry picked from commit 1d2fc73)
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Oct 4, 2024
@lhotari @nikhil-ctds
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (apache#2…
f3ffeff 
…3394)

(cherry picked from commit 1d2fc73)
lhotari added a commit that referenced this pull request Oct 4, 2024
@lhotari
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (#23394)
8571e65
@lhotari lhotari added the cherry-picked/branch-2.9 Archived: 2.9 is end of life label Oct 4, 2024
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Oct 4, 2024
@lhotari @srinath-ctds
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (apache#2…
8ea3944 
…3394)

(cherry picked from commit 1d2fc73)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Oct 4, 2024
@lhotari @srinath-ctds
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (apache#2…
dfa7ac2 
…3394)

(cherry picked from commit 1d2fc73)
lhotari added a commit that referenced this pull request Oct 8, 2024
@lhotari
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (#23394)
1be3793 
(cherry picked from commit 8571e65)
@lhotari lhotari added the cherry-picked/branch-2.8 Archived: 2.8 is end of life label Oct 8, 2024
nodece pushed a commit to ascentstream/pulsar that referenced this pull request Oct 10, 2024
@lhotari @nodece
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (apache#2…
a4ec7b0 
…3394)
narmathaansp pushed a commit to sajithsebastian/pulsar that referenced this pull request Oct 16, 2024
@lhotari
[fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (apache#2…
0ea2a53 
…3394)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaeljmarshall michaeljmarshall michaeljmarshall approved these changes

@nicoloboschi nicoloboschi nicoloboschi approved these changes

@merlimat merlimat merlimat approved these changes

Assignees

@lhotari lhotari

Labels
area/security cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 cherry-picked/branch-2.11 cherry-picked/branch-3.0 cherry-picked/branch-3.1 cherry-picked/branch-3.2 cherry-picked/branch-3.3 doc-not-needed Your PR changes do not impact docs ready-to-test release/blocker Indicate the PR or issue that should block the release until it gets resolved release/3.0.7 release/3.3.2
Projects
None yet
Milestone
4.0.0
Development

Successfully merging this pull request may close these issues.
5 participants
@lhotari @codecov-commenter @merlimat @nicoloboschi @michaeljmarshall