Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVEs about h2database #24001

Draft
wants to merge 10 commits into
base: master
Choose a base branch
from
Draft

Fix CVEs about h2database #24001

wants to merge 10 commits into from

Conversation

ShahimSharafudeen
Copy link
Contributor

Description

Fixes CVE-2022-23221 , CVE-2021-23463 and CVE-2021-42392 on com.h2database:h2.

Motivation and Context

Resolve a new CVE.

Impact

Should have no known impact to other code.

Test Plan

Regular PR GitHub actions

Contributor checklist

  • Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== NO RELEASE NOTE ==

@steveburnett
Copy link
Contributor

Consider a release note entry like the following:

== RELEASE NOTES ==

Security Changes
* Upgrade h2database to 2.2.220 in response to `CVE-2022-23221 <https://github.com/advisories/GHSA-45hx-wfhj-473x>`_, `CVE-2021-23463 <https://github.com/advisories/GHSA-7rpj-hg47-cx62>`_, and `CVE-2021-42392 <https://github.com/advisories/GHSA-h376-j262-vhq6>`_.  :pr:`24001`

pratyakshsharma
pratyakshsharma reviewed Nov 15, 2024
View reviewed changes
pom.xml Outdated
@@ -1180,7 +1180,7 @@
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>1.4.199</version>
<version>1.4.200</version>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let us know if you were able to figure out the root cause of the issue we discussed internally.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ya I found the issue. H2db version 1.4.200 only support the start date from "1890-09-30". If i am give above that this date then test cases will pass.
Reference link : h2database/h2database#2261
Currently i am trying to upgrade the version as 2.2.220, which has no vulnerabilities.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good find. :D

@pratyakshsharma
Copy link
Contributor

Hi @ShahimSharafudeen is this PR ready for review now? If so, please mark it as ready for review.

@ShahimSharafudeen
Copy link
Contributor Author

Hi @ShahimSharafudeen is this PR ready for review now? If so, please mark it as ready for review.

No. One more test failure scenario also needs to fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pratyakshsharma pratyakshsharma pratyakshsharma left review comments

@hantangwangd hantangwangd Awaiting requested review from hantangwangd hantangwangd will be requested when the pull request is marked ready for review hantangwangd is a code owner

@ZacBlanco ZacBlanco Awaiting requested review from ZacBlanco ZacBlanco will be requested when the pull request is marked ready for review ZacBlanco is a code owner

@jaystarshot jaystarshot Awaiting requested review from jaystarshot jaystarshot will be requested when the pull request is marked ready for review jaystarshot is a code owner

@feilong-liu feilong-liu Awaiting requested review from feilong-liu feilong-liu will be requested when the pull request is marked ready for review feilong-liu is a code owner

@elharo elharo Awaiting requested review from elharo elharo will be requested when the pull request is marked ready for review elharo is a code owner

@ClarenceThreepwood ClarenceThreepwood Awaiting requested review from ClarenceThreepwood ClarenceThreepwood will be requested when the pull request is marked ready for review ClarenceThreepwood is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ShahimSharafudeen @steveburnett @pratyakshsharma