Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 2.x] Bump up commons-compress to 1.26.1 to fix CVE #13068

Merged
merged 1 commit into from
Apr 3, 2024

Conversation

sandeshkr419
Copy link
Contributor

@sandeshkr419 sandeshkr419 commented Apr 3, 2024

Manual Backport #12627 to 2.x since auto-backport failed.


Description

Backports #12627 to 2.x

Related Issues

Resolves CVE-2024-26308
Resolves CVE-2024-25710

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Failing checks are inspected and point to the corresponding known issue(s) (See: Troubleshooting Failing Builds)
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)
  • Public documentation issue/PR created

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

* Bump up commons-compress to 1.26.0 to fix CVE

Signed-off-by: Aman Khare <amkhar@amazon.com>

* Change log entry

Signed-off-by: Aman Khare <amkhar@amazon.com>

* Update ignoreMissingClasses

Signed-off-by: Aman Khare <amkhar@amazon.com>

* Update commons-codec and commons-lang3 dependencies also

Signed-off-by: Aman Khare <amkhar@amazon.com>

* Upgrade commons-codec to 1.16.1

Signed-off-by: Aman Khare <amkhar@amazon.com>

* Add commons-io dependency in plugin-cli build.gradle

Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>

* Revert "Update ignoreMissingClasses"

This reverts commit d92fbda.

Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>

* Adding SHA for commons-io-2.15.1.jar

Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>

* adding license, notice files for commons-io

Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>

* Add missing classes for thirdPartyAudit

Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>

* Refactor

Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>

* Test commit - to be reverted

Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>

* Bump commons-compress to 1.26.1, tika to 2.9.1

Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>

* Remove Charsets class from exclusion list - not missing

Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>

* Update tika to 2.9.2

Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>

* commons-io 2.16.0

Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>

* Refactor commons-io dependency mentions to avoid manual version setting/update

Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>

---------

Signed-off-by: Aman Khare <amkhar@amazon.com>
Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>
Co-authored-by: Aman Khare <amkhar@amazon.com>
Signed-off-by: Sandesh Kumar <sandeshkr419@gmail.com>
@sandeshkr419 sandeshkr419 changed the title [Backport] Bump up commons-compress to 1.26.1 to fix CVE [Backport 2.x] Bump up commons-compress to 1.26.1 to fix CVE Apr 3, 2024
@sandeshkr419 sandeshkr419 self-assigned this Apr 3, 2024
@sandeshkr419 sandeshkr419 added backport PRs or issues specific to backporting features or enhancments CVE Fixes a CVE labels Apr 3, 2024
Copy link
Contributor

github-actions bot commented Apr 3, 2024

Compatibility status:

Checks if related components are compatible with change 700c742

Incompatible components

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/flow-framework.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/performance-analyzer.git]

Copy link
Contributor

github-actions bot commented Apr 3, 2024

❕ Gradle check result for 700c742: UNSTABLE

  • TEST FAILURES:
      1 org.opensearch.cluster.coordination.AwarenessAttributeDecommissionIT.testConcurrentDecommissionAction

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

Copy link

codecov bot commented Apr 3, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 71.13%. Comparing base (0dd892c) to head (700c742).
Report is 114 commits behind head on 2.x.

Additional details and impacted files
@@             Coverage Diff              @@
##                2.x   #13068      +/-   ##
============================================
- Coverage     71.28%   71.13%   -0.16%     
- Complexity    60145    60461     +316     
============================================
  Files          4957     4995      +38     
  Lines        282799   284821    +2022     
  Branches      41409    41617     +208     
============================================
+ Hits         201591   202600    +1009     
- Misses        64189    65085     +896     
- Partials      17019    17136     +117     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@kotwanikunal kotwanikunal merged commit c658ad7 into opensearch-project:2.x Apr 3, 2024
111 checks passed
@sandeshkr419 sandeshkr419 deleted the cve branch April 3, 2024 22:17
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.13 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-2.13 2.13
# Navigate to the new working tree
pushd ../.worktrees/backport-2.13
# Create a new branch
git switch --create backport/backport-13068-to-2.13
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 c658ad75486e55cdc251ad21225e7fa592c36b98
# Push it to GitHub
git push --set-upstream origin backport/backport-13068-to-2.13
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-2.13

Then, create a pull request where the base branch is 2.13 and the compare/head branch is backport/backport-13068-to-2.13.

@sandeshkr419
Copy link
Contributor Author

@peternied any reason for adding 2.13 backport label? We already released 2.13 so this change will only go to 2.x (2.14 to be cut in future), right?

@bbarani @gaiksaya Any comments?

@bbarani
Copy link
Member

bbarani commented Apr 10, 2024

Security fixes can still be backported to 2.13 release branch so it gets picked up if we decide to do 2.13.1 release but we are not planning to release 2.13.1 at this point in time.

We always try to be ready for a possible patch version release once a minor is released.

@sandeshkr419
Copy link
Contributor Author

Ohh okay, let me raise a manual backport then since the trigger-bot could not fix in conflicts.

@peternied
Copy link
Member

peternied commented Apr 11, 2024

@sandeshkr419 @bbarani We've gotten a report about CVE [1] present in 2.13.0. It looks like there has been back and forth between the reporting agency and the library owner categorizing one of these issues as HIGH. I've created a manual backport [2] for 2.13 so we are ready to pull the trigger on this fix to be included with the next patch release.

FYI @kkhatua @cwperks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport PRs or issues specific to backporting features or enhancments backport 2.13 CVE Fixes a CVE
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants