Skip to content

Commit

Permalink
#76 fixed vulnerability CVE 2024 47561 in org.apache.avro avro (#78)
Browse files Browse the repository at this point in the history 
* Updated version to 2.0.11

* Updated dependencies

* Updated changes file
  • Loading branch information
@ckunki
ckunki authored Oct 17, 2024
1 parent 5985eec commit 133b5bb
Show file tree
Hide file tree
Showing 5 changed files with 125 additions and 118 deletions.
171 changes: 82 additions & 89 deletions dependencies.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/changes/changelog.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

31 changes: 31 additions & 0 deletions doc/changes/changes_2.0.11.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Parquet for Java 2.0.11, released 2024-10-17

Code name: Fix CVE-2024-47561 in dependency

## Summary

This release fixes vulnerability CVE-2024-47561 by updating transitive dependency `org.apache.avro:avro` via `org.apache.hadoop:hadoop-client`.

## Security

* #76: Fixed vulnerability CVE-2024-47561 in `org.apache.avro:avro`

## Dependency Updates

### Compile Dependency Updates

* Updated `dnsjava:dnsjava:3.6.0` to `3.6.2`
* Removed `io.airlift:aircompressor:0.27`
* Updated `org.apache.avro:avro:1.11.3` to `1.12.0`
* Removed `org.apache.commons:commons-compress:1.26.2`
* Updated `org.apache.parquet:parquet-hadoop:1.14.1` to `1.14.3`
* Updated `org.scala-lang:scala-library:2.13.14` to `2.13.15`
* Removed `org.xerial.snappy:snappy-java:1.1.10.5`

### Test Dependency Updates

* Updated `nl.jqno.equalsverifier:equalsverifier:3.16.1` to `3.17.1`
* Updated `org.hamcrest:hamcrest:2.2` to `3.0`
* Updated `org.junit.jupiter:junit-jupiter:5.10.3` to `5.11.2`
* Updated `org.mockito:mockito-core:5.12.0` to `5.14.2`
* Updated `org.mockito:mockito-junit-jupiter:5.12.0` to `5.14.2`
2 changes: 1 addition & 1 deletion pk_generated_parent.pom
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

38 changes: 10 additions & 28 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,38 +3,26 @@
<modelVersion>4.0.0</modelVersion>
<groupId>com.exasol</groupId>
<artifactId>parquet-io-java</artifactId>
<version>2.0.10</version>
<version>2.0.11</version>
<name>Parquet for Java</name>
<description>This project provides a library that reads Parquet files into Java objects.</description>
<url>https://github.com/exasol/parquet-io-java/</url>
<parent>
<artifactId>parquet-io-java-generated-parent</artifactId>
<groupId>com.exasol</groupId>
<version>2.0.10</version>
<version>2.0.11</version>
<relativePath>pk_generated_parent.pom</relativePath>
</parent>
<properties>
<scala.version>2.13.14</scala.version>
<scala.version>2.13.15</scala.version>
<scala.compat.version>2.13</scala.compat.version>
<mockito.version>5.12.0</mockito.version>
<mockito.version>5.14.2</mockito.version>
</properties>
<dependencies>
<dependency>
<groupId>org.apache.parquet</groupId>
<artifactId>parquet-hadoop</artifactId>
<version>1.14.1</version>
</dependency>
<!-- Update transitive dependency of org.apache.parquet:parquet-hadoop to fix CVE-2024-36114 -->
<dependency>
<groupId>io.airlift</groupId>
<artifactId>aircompressor</artifactId>
<version>0.27</version>
</dependency>
<dependency>
<!-- Update transitive dependency of org.apache.parquet:parquet-hadoop to fix CVE-2023-34453, CVE-2023-34454, CVE-2023-34455, CVE-2023-43642 -->
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>1.1.10.5</version>
<version>1.14.3</version>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
Expand Down Expand Up @@ -133,13 +121,7 @@
<!-- Upgrade transitive dependency of org.apache.hadoop:hadoop-client to fix CVE-2023-39410 -->
<groupId>org.apache.avro</groupId>
<artifactId>avro</artifactId>
<version>1.11.3</version>
</dependency>
<dependency>
<!-- Upgrade transitive dependency of org.apache.avro:avro to fix CVE-2023-42503 -->
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.26.2</version>
<version>1.12.0</version>
</dependency>
<!-- Upgrade transitive dependency of org.apache.hadoop:hadoop-client to fix CVE-2024-29131 & CVE-2024-29133 -->
<dependency>
Expand All @@ -151,7 +133,7 @@
<dependency>
<groupId>dnsjava</groupId>
<artifactId>dnsjava</artifactId>
<version>3.6.0</version>
<version>3.6.2</version>
</dependency>
<dependency>
<groupId>org.scala-lang</groupId>
Expand All @@ -167,7 +149,7 @@
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
<version>5.10.3</version>
<version>5.11.2</version>
<scope>test</scope>
</dependency>
<dependency>
Expand All @@ -185,7 +167,7 @@
<dependency>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest</artifactId>
<version>2.2</version>
<version>3.0</version>
<scope>test</scope>
</dependency>
<dependency>
Expand All @@ -197,7 +179,7 @@
<dependency>
<groupId>nl.jqno.equalsverifier</groupId>
<artifactId>equalsverifier</artifactId>
<version>3.16.1</version>
<version>3.17.1</version>
<scope>test</scope>
</dependency>
</dependencies>
Expand Down

0 comments on commit 133b5bb

Please sign in to comment.