Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for CVE-2024-36124 . Upgrading snappy version to 0.5. #7

Merged
merged 1 commit into from
Jan 21, 2025

Conversation

namya28
Copy link
Contributor

@namya28 namya28 commented Jan 15, 2025

This PR is for upgrading the snappy version from 0.2 to 0.5 as the version 0.2 has a security vulnerability. Upgrading this version to 0.5 fixes the CVE-2024-36124.

@namya28
Copy link
Contributor Author

namya28 commented Jan 15, 2025

@imjalpreet could you please help review this PR.

Copy link
Member

@imjalpreet imjalpreet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@namya28 thanks for the fix, LGTM.

Before we merge, could you please try to use the updated presto-hive-dwrf dependency in Presto via JitPack and see if we can get a green CI run?

@@ -94,7 +94,7 @@
<dependency>
<groupId>org.iq80.snappy</groupId>
<artifactId>snappy</artifactId>
<version>0.2</version>
<version>0.5</version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see all the vulnerabilities are in the dependency snappy-java (https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java/1.1.8.4) with test scope, so they won't be included in the snappy jar Presto is using. We should be fine.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But then in the existing version as well it looks to me in test dependencies only. Anything I am missing here?
https://mvnrepository.com/artifact/org.iq80.snappy/snappy/0.2

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nut looks like on top it mentions until 0.4 there is one direct CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36124
Which doesn't seem to appear in - 0.5

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, <=0.4 had a direct vulnerability in Snappy not coming from any dependencies in addition to the vulnerabilities coming from test dependencies.

@namya28
Copy link
Contributor Author

namya28 commented Jan 20, 2025

Hi @tdcmeehan , could you please help getting this PR merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants