Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Update aws-java-sdk-s3 to >1.12.261 #4161

Closed
chrisdudley opened this issue Aug 8, 2022 · 7 comments
Closed

[BUG] Update aws-java-sdk-s3 to >1.12.261 #4161

chrisdudley opened this issue Aug 8, 2022 · 7 comments
Labels
Clients Clients within the Core repository such as High level Rest client and low level client CVE Fixes a CVE security Anything security related

Comments

@chrisdudley
Copy link

opensearch 2.1.0 contains com.amazonaws_aws-java-sdk-s3 v1.11.749 which has this security advisory published for it: GHSA-c28r-hw5m-5gv3

CVE-2022-31159

Please can OS bump its use of that plugin to > 1.12.261 to pick up the fix ?
@chrisdudley chrisdudley added bug Something isn't working untriaged labels Aug 8, 2022
@kartg kartg added security Anything security related Clients Clients within the Core repository such as High level Rest client and low level client CVE Fixes a CVE and removed bug Something isn't working untriaged labels Aug 8, 2022
@saratvemulapalli
Copy link
Member

Looks like dependencies were upgraded in main by #4047
I tried a backport to 2.x, looks like it fails. We could manually backport it.

@saratvemulapalli
Copy link
Member

@kartg looks like a high sev CVE, can we get this to 2.2 ?

@kartg
Copy link
Member

kartg commented Aug 8, 2022

@peterzhuamazon have we started building the 2.2 release yet? Or can we get this CVE fix in?

I'll work on the manual backport to 2.x in the meantime.

cc @CEHENKLE

@peterzhuamazon
Copy link
Member

@peterzhuamazon have we started building the 2.2 release yet? Or can we get this CVE fix in?

I'll work on the manual backport to 2.x in the meantime.

cc @CEHENKLE

@kartg we have seen some issues in PA/SQL Workbench now so you are safe to backport your change.

Thanks.

This was referenced Aug 8, 2022
Merged
Merged
@kartg
Copy link
Member

kartg commented Aug 8, 2022

Just confirming that we're pulling this upgrade into the 2.2 release. The AWS library has been upgraded to 1.12.270

@chrisdudley
Copy link
Author

Thank you!

@kartg
Copy link
Member

kartg commented Aug 8, 2022

Closing this issue since the library upgrade was merged to the 2.2 branch with #4166

@kartg kartg closed this as completed Aug 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Clients Clients within the Core repository such as High level Rest client and low level client CVE Fixes a CVE security Anything security related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chrisdudley @saratvemulapalli @peterzhuamazon @kartg