Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade accumulo to 1.10.1 to fix CVE-2020-17533 #24438

Merged
merged 1 commit into from
Jan 30, 2025
Merged

Upgrade accumulo to 1.10.1 to fix CVE-2020-17533 #24438

merged 1 commit into from
Jan 30, 2025

Conversation

namya28
Copy link
Contributor

@namya28 namya28 commented Jan 27, 2025
edited
Loading

Description

This PR is for fixing the security vulnerability for accumulo. The version has been upgraded to 1.10.1 from the version 1.7.4 as the version 1.7.4 had a security vulnerability. This fixes CVE-2020-17533.

Motivation and Context

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes

* Upgrade the accumulo version to 1.10.1 in response to `
CVE-2020-17533 <https://github.com/advisories/GHSA-grc3-8q8m-4j7c>`_. :pr:`24438`

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Jan 27, 2025
@steveburnett
Copy link
Contributor

Thanks for the release note! Suggest adding the CVE that prompted the work, following the example in Phrasing in the Release Notes Guidelines.

== RELEASE NOTES ==

Security Changes

* Upgrade the accumulo-core version to 1.10.1 in response to `
CVE-2020-17533 <hhttps://github.com/advisories/GHSA-grc3-8q8m-4j7c>`_. :pr:`24438`

@namya28 namya28 marked this pull request as ready for review January 27, 2025 17:59
@namya28 namya28 requested a review from a team as a code owner January 27, 2025 17:59
@namya28 namya28 requested a review from presto-oss January 27, 2025 17:59
imjalpreet
imjalpreet requested changes Jan 29, 2025
View reviewed changes
Copy link
Member

@imjalpreet imjalpreet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@namya28 Thanks for the fix! Could you confirm whether the CVE actually affects accumulo-core? From what I see, CVE-2020-17533 specifically impacts accumulo-master. In Presto, it might be present in accumulo-minicluster due to its dependency on accumulo-master, but I don’t believe it is directly related to accumulo-core.

If that’s the case, we should update the PR title and commit messages accordingly. Let me know if I missed anything.

@namya28 namya28 changed the title Security Vulnerability fix for accumulo-core (CVE-2020-17533) Security Vulnerability fix for accumulo-master (CVE-2020-17533) Jan 30, 2025
@namya28 namya28 requested a review from imjalpreet January 30, 2025 11:42
imjalpreet
imjalpreet reviewed Jan 30, 2025
View reviewed changes
Copy link
Member

@imjalpreet imjalpreet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@namya28 Thanks, I think below commit message would be better

Upgrade Accumulo to 1.10.1 to fix CVE-2020-17533

Upgrade the Accumulo version from 1.7.4 to 1.10.1 to address a security vulnerability (CVE-2020-17533). The affected library, accumulo-master, is a transitive dependency in Presto, coming from accumulo-minicluster.

The commit description will give more context to the fix.

@namya28 namya28 changed the title Security Vulnerability fix for accumulo-master (CVE-2020-17533) Upgrade accumulo to 1.10.1 to fix CVE-2020-17533 Jan 30, 2025
@namya28
Copy link
Contributor Author

namya28 commented Jan 30, 2025

@namya28 Thanks, I think below commit message would be better

Upgrade Accumulo to 1.10.1 to fix CVE-2020-17533

Upgrade the Accumulo version from 1.7.4 to 1.10.1 to address a security vulnerability (CVE-2020-17533). The affected library, accumulo-master, is a transitive dependency in Presto, coming from accumulo-minicluster.

The commit description will give more context to the fix.

Thanks for the suggestion @imjalpreet . I have made the changes , rebased and pushed my changes again.

@namya28 @namyasehgal
Upgrade accumulo to 1.10.1 to fix CVE-2020-17533
f9909a9 
Upgrade the accumulo version from 1.7.4 to 1.10.1 to address a security vulnerability (CVE-2020-17533). The affected library, accumulo-master, is a transitive dependency in Presto, coming from accumulo-minicluster.
imjalpreet
imjalpreet approved these changes Jan 30, 2025
View reviewed changes
Copy link
Member

@imjalpreet imjalpreet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@imjalpreet
Copy link
Member

@tdcmeehan another PR which is ready for final review. Please take a look whenever you get a chance, thanks!

@tdcmeehan tdcmeehan merged commit 892ad68 into prestodb:master Jan 30, 2025
54 checks passed
This was referenced Mar 10, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjalpreet imjalpreet imjalpreet approved these changes

@tdcmeehan tdcmeehan tdcmeehan approved these changes

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

Assignees
No one assigned
Labels
from:IBM PR from IBM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@namya28 @steveburnett @imjalpreet @tdcmeehan @prestodb-ci