Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GH-44770: [Java] Update minor protobuf version to avoid CVE-2024-7254 #44775

Merged
merged 1 commit into from
Nov 18, 2024
Merged

GH-44770: [Java] Update minor protobuf version to avoid CVE-2024-7254 #44775

merged 1 commit into from
Nov 18, 2024

Conversation

raulcd
Copy link
Member

@raulcd raulcd commented Nov 18, 2024
edited by github-actions bot
Loading

Rationale for this change

There seems to be a CVE affecting our current dependency:
GHSA-735f-pc8j-v9w8

What changes are included in this PR?

Update to latest minor which solves the issue.

Are these changes tested?

Via CI

Are there any user-facing changes?

No

@github-actions GitHub Actions
Copy link

⚠️ GitHub issue #44770 has been automatically assigned in GitHub to PR creator.

@raulcd
Copy link
Member Author

raulcd commented Nov 18, 2024

@github-actions crossbow submit -g java

@github-actions github-actions bot added the awaiting committer review Awaiting committer review label Nov 18, 2024
@github-actions GitHub Actions
Copy link

Revision: ad603bc

Submitted crossbow builds: ursacomputing/crossbow @ actions-a223b3698c

Task Status
java-jars GitHub Actions
test-conda-python-3.11-spark-master GitHub Actions
verify-rc-source-java-linux-almalinux-8-amd64 GitHub Actions
verify-rc-source-java-linux-conda-latest-amd64 GitHub Actions
verify-rc-source-java-linux-ubuntu-20.04-amd64 GitHub Actions
verify-rc-source-java-linux-ubuntu-22.04-amd64 GitHub Actions
verify-rc-source-java-macos-amd64 GitHub Actions

@raulcd
Copy link
Member Author

raulcd commented Nov 18, 2024

Not related with this PR but I saw we seem to be using a pretty old bundled version on C++, see:

arrow/cpp/thirdparty/versions.txt

Lines 95 to 96 in 00de992

ARROW_PROTOBUF_BUILD_VERSION=v21.3
ARROW_PROTOBUF_BUILD_SHA256_CHECKSUM=2f723218f6cb709ae4cdc4fb5ed56a5951fc5d466f0128ce4c946b8c78c8c49f

What is our policy for updating those dependencies? Do we have any? Should we update it? cc @kou

@raulcd raulcd marked this pull request as ready for review November 18, 2024 17:43
@lidavidm
Copy link
Member

We can update the bundled version.

@github-actions github-actions bot added awaiting merge Awaiting merge and removed awaiting committer review Awaiting committer review labels Nov 18, 2024
@lidavidm lidavidm merged commit ea8b1d3 into apache:main Nov 18, 2024
16 checks passed
@lidavidm lidavidm removed the awaiting merge Awaiting merge label Nov 18, 2024
@lidavidm lidavidm mentioned this pull request Nov 18, 2024
Closed
@kou
Copy link
Member

kou commented Nov 18, 2024

We don't have our update policy. But we should keep updating dependencies as much as possible for performance and security.

@conbench-apache-arrow conbench-apache-arrow
Copy link

After merging your PR, Conbench analyzed the 3 benchmarking runs that have been run so far on merge-commit ea8b1d3.

There were no benchmark performance regressions. 🎉

The full Conbench report has more details. It also includes information about 23 possible false positives for unstable benchmarks that are known to sometimes produce them.

@raulcd raulcd mentioned this pull request Nov 19, 2024
Open
@raulcd raulcd deleted the GH-44770 branch November 19, 2024 08:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lidavidm lidavidm lidavidm approved these changes

Assignees
No one assigned
Labels
Component: Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@raulcd @lidavidm @kou