Fix for CVE-2024-36124 . Upgrading snappy version to 0.5. #7
Conversation
|
@imjalpreet could you please help review this PR. |
There was a problem hiding this comment.
@namya28 thanks for the fix, LGTM.
Before we merge, could you please try to use the updated presto-hive-dwrf dependency in Presto via JitPack and see if we can get a green CI run?
| @@ -94,7 +94,7 @@ | |||
| <dependency> | |||
| <groupId>org.iq80.snappy</groupId> | |||
| <artifactId>snappy</artifactId> | |||
| <version>0.2</version> | |||
| <version>0.5</version> | |||
There was a problem hiding this comment.
@namya28 I see 0.5 also has CVEs? https://mvnrepository.com/artifact/org.iq80.snappy/snappy/0.5
There was a problem hiding this comment.
I see all the vulnerabilities are in the dependency snappy-java (https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java/1.1.8.4) with test scope, so they won't be included in the snappy jar Presto is using. We should be fine.
There was a problem hiding this comment.
But then in the existing version as well it looks to me in test dependencies only. Anything I am missing here?
https://mvnrepository.com/artifact/org.iq80.snappy/snappy/0.2
There was a problem hiding this comment.
Nut looks like on top it mentions until 0.4 there is one direct CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36124
Which doesn't seem to appear in - 0.5
There was a problem hiding this comment.
Yes, <=0.4 had a direct vulnerability in Snappy not coming from any dependencies in addition to the vulnerabilities coming from test dependencies.
|
Hi @tdcmeehan , could you please help getting this PR merged. |
This PR is for upgrading the snappy version from 0.2 to 0.5 as the version 0.2 has a security vulnerability. Upgrading this version to 0.5 fixes the CVE-2024-36124.