Upgrade accumulo to 1.10.1 to fix CVE-2020-17533

namya28 · tdcmeehan · commit 892ad684d9c1 · 2025-01-30T15:26:05.000-05:00
Upgrade the accumulo version from 1.7.4 to 1.10.1 to address a security vulnerability (CVE-2020-17533). The affected library, accumulo-master, is a transitive dependency in Presto, coming from accumulo-minicluster.
diff --git a/pom.xml b/pom.xml
@@ -1446,7 +1446,7 @@
             <dependency>
                 <groupId>org.apache.thrift</groupId>
                 <artifactId>libthrift</artifactId>
-                <version>0.9.3</version>
+                <version>0.9.3-1</version>
                 <exclusions>
                     <exclusion>
                         <groupId>org.apache.httpcomponents</groupId>
diff --git a/presto-accumulo/pom.xml b/presto-accumulo/pom.xml
@@ -14,7 +14,7 @@
 
     <properties>
         <air.main.basedir>${project.parent.basedir}</air.main.basedir>
-        <dep.accumulo.version>1.7.4</dep.accumulo.version>
+        <dep.accumulo.version>1.10.1</dep.accumulo.version>
         <dep.curator.version>2.12.0</dep.curator.version>
         <dep.reload4j.version>1.2.18.3</dep.reload4j.version>
     </properties>
@@ -226,7 +226,7 @@
         <dependency>
             <groupId>commons-lang</groupId>
             <artifactId>commons-lang</artifactId>
-            <version>2.4</version>
+            <version>2.6</version>
         </dependency>
 
         <dependency>
