-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade the Guava version #23731
base: master
Are you sure you want to change the base?
Upgrade the Guava version #23731
Conversation
The committers listed above are authorized under a signed CLA. |
@ShahimSharafudeen Please sign a CLA, it's needed for the first PR - https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md#contributing-to-presto |
Please fix the release note entry section - delete the first block, change the NO RELEASE NOTES heading, and specify the upgraded version.
|
The current version 32.1.0-jre is no affected by CVE-2020-8908 or CVE-2023-2976. What CVE does 33.1.0-jre solve? |
@agrawalreetika Done. |
@steveburnett Updated. |
Description
CVE-2020-8908 CVE-2023-2976
Security fix for Guava
vulnerable version : 26.0-jre
Fixed version : 32.0.1
Motivation and Context
Use of Java's default temporary directory for file creation in
FileBackedOutputStream
in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.Impact
NA
Test Plan
Build got success.
Contributor checklist
Release Notes