-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for CVE-2024-36124 . Upgrading snappy version to 0.5. #7
Conversation
@imjalpreet could you please help review this PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@namya28 thanks for the fix, LGTM.
Before we merge, could you please try to use the updated presto-hive-dwrf
dependency in Presto via JitPack and see if we can get a green CI run?
@@ -94,7 +94,7 @@ | |||
<dependency> | |||
<groupId>org.iq80.snappy</groupId> | |||
<artifactId>snappy</artifactId> | |||
<version>0.2</version> | |||
<version>0.5</version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@namya28 I see 0.5 also has CVEs? https://mvnrepository.com/artifact/org.iq80.snappy/snappy/0.5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see all the vulnerabilities are in the dependency snappy-java
(https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java/1.1.8.4) with test
scope, so they won't be included in the snappy jar Presto is using. We should be fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But then in the existing version as well it looks to me in test dependencies only. Anything I am missing here?
https://mvnrepository.com/artifact/org.iq80.snappy/snappy/0.2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nut looks like on top it mentions until 0.4 there is one direct CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36124
Which doesn't seem to appear in - 0.5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, <=0.4 had a direct vulnerability in Snappy not coming from any dependencies in addition to the vulnerabilities coming from test dependencies.
Hi @tdcmeehan , could you please help getting this PR merged. |
This PR is for upgrading the snappy version from 0.2 to 0.5 as the version 0.2 has a security vulnerability. Upgrading this version to 0.5 fixes the CVE-2024-36124.