-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Backport 2.x] Bump up commons-compress to 1.26.1 to fix CVE #13068
Conversation
* Bump up commons-compress to 1.26.0 to fix CVE Signed-off-by: Aman Khare <amkhar@amazon.com> * Change log entry Signed-off-by: Aman Khare <amkhar@amazon.com> * Update ignoreMissingClasses Signed-off-by: Aman Khare <amkhar@amazon.com> * Update commons-codec and commons-lang3 dependencies also Signed-off-by: Aman Khare <amkhar@amazon.com> * Upgrade commons-codec to 1.16.1 Signed-off-by: Aman Khare <amkhar@amazon.com> * Add commons-io dependency in plugin-cli build.gradle Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com> * Revert "Update ignoreMissingClasses" This reverts commit d92fbda. Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com> * Adding SHA for commons-io-2.15.1.jar Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com> * adding license, notice files for commons-io Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com> * Add missing classes for thirdPartyAudit Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com> * Refactor Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com> * Test commit - to be reverted Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com> * Bump commons-compress to 1.26.1, tika to 2.9.1 Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com> * Remove Charsets class from exclusion list - not missing Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com> * Update tika to 2.9.2 Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com> * commons-io 2.16.0 Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com> * Refactor commons-io dependency mentions to avoid manual version setting/update Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com> --------- Signed-off-by: Aman Khare <amkhar@amazon.com> Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com> Co-authored-by: Aman Khare <amkhar@amazon.com> Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>
Compatibility status:Checks if related components are compatible with change 700c742 Incompatible componentsSkipped componentsCompatible componentsCompatible components: [https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/flow-framework.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/performance-analyzer.git] |
❕ Gradle check result for 700c742: UNSTABLE
Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## 2.x #13068 +/- ##
============================================
- Coverage 71.28% 71.13% -0.16%
- Complexity 60145 60461 +316
============================================
Files 4957 4995 +38
Lines 282799 284821 +2022
Branches 41409 41617 +208
============================================
+ Hits 201591 202600 +1009
- Misses 64189 65085 +896
- Partials 17019 17136 +117 ☔ View full report in Codecov by Sentry. |
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-2.13 2.13
# Navigate to the new working tree
pushd ../.worktrees/backport-2.13
# Create a new branch
git switch --create backport/backport-13068-to-2.13
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 c658ad75486e55cdc251ad21225e7fa592c36b98
# Push it to GitHub
git push --set-upstream origin backport/backport-13068-to-2.13
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-2.13 Then, create a pull request where the |
@peternied any reason for adding 2.13 backport label? We already released 2.13 so this change will only go to 2.x (2.14 to be cut in future), right? |
Security fixes can still be backported to 2.13 release branch so it gets picked up if we decide to do 2.13.1 release but we are not planning to release 2.13.1 at this point in time. We always try to be ready for a possible patch version release once a minor is released. |
Ohh okay, let me raise a manual backport then since the trigger-bot could not fix in conflicts. |
@sandeshkr419 @bbarani We've gotten a report about CVE [1] present in 2.13.0. It looks like there has been back and forth between the reporting agency and the library owner categorizing one of these issues as HIGH. I've created a manual backport [2] for 2.13 so we are ready to pull the trigger on this fix to be included with the next patch release. |
Manual Backport #12627 to 2.x since auto-backport failed.
Description
Backports #12627 to
2.x
Related Issues
Resolves CVE-2024-26308
Resolves CVE-2024-25710
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.