Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade the Guava version #23731

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Upgrade the Guava version #23731

wants to merge 1 commit into from

Conversation

ShahimSharafudeen
Copy link

@ShahimSharafudeen ShahimSharafudeen commented Sep 26, 2024
edited
Loading

Description

CVE-2020-8908 CVE-2023-2976
Security fix for Guava
vulnerable version : 26.0-jre
Fixed version : 32.0.1

Motivation and Context

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Impact

NA

Test Plan

Build got success.

Contributor checklist

  • Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

== RELEASE NOTES ==
Security Changes
* Upgrade the Guava version to 33.1.0-jre :pr:`23731`

@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Sep 26, 2024
edited
Loading

CLA Signed

  • ✅login: ShahimSharafudeen / (c92621e)

The committers listed above are authorized under a signed CLA.

@ShahimSharafudeen ShahimSharafudeen marked this pull request as ready for review September 26, 2024 19:14
@ShahimSharafudeen ShahimSharafudeen requested a review from a team as a code owner September 26, 2024 19:14
@agrawalreetika
Copy link
Member

@ShahimSharafudeen Please sign a CLA, it's needed for the first PR - https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md#contributing-to-presto

@steveburnett
Copy link
Contributor

Please fix the release note entry section - delete the first block, change the NO RELEASE NOTES heading, and specify the upgraded version.

== RELEASE NOTES ==

Security Changes
* Upgrade the Guava version to 33.1.0-jre :pr:`23731`

@denodo-research-labs
Copy link
Contributor

The current version 32.1.0-jre is no affected by CVE-2020-8908 or CVE-2023-2976.

What CVE does 33.1.0-jre solve?

@ShahimSharafudeen
Copy link
Author

ShahimSharafudeen commented Sep 30, 2024
edited
Loading

@ShahimSharafudeen Please sign a CLA, it's needed for the first PR - https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md#contributing-to-presto

@agrawalreetika Done.

@ShahimSharafudeen
Copy link
Author

ShahimSharafudeen commented Sep 30, 2024
edited
Loading

Please fix the release note entry section - delete the first block, change the NO RELEASE NOTES heading, and specify the upgraded version.

== RELEASE NOTES ==

Security Changes
* Upgrade the Guava version to 33.1.0-jre :pr:`23731`

@steveburnett Updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ShahimSharafudeen @agrawalreetika @steveburnett @denodo-research-labs