-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump up commons-compress to 1.26.1 to fix CVE #12627
Conversation
❌ Gradle check result for 8c8a75f: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
❌ Gradle check result for 8c8a75f: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Sandesh Kumar <[email protected]>
Signed-off-by: Sandesh Kumar <[email protected]>
Signed-off-by: Sandesh Kumar <[email protected]>
Signed-off-by: Sandesh Kumar <[email protected]>
Signed-off-by: Sandesh Kumar <[email protected]>
Signed-off-by: Sandesh Kumar <[email protected]>
❕ Gradle check result for 86977e8: UNSTABLE
Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure. |
Signed-off-by: Sandesh Kumar <[email protected]>
…ng/update Signed-off-by: Sandesh Kumar <[email protected]>
❕ Gradle check result for 9e3ce43: UNSTABLE
Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure. |
❕ Gradle check result for 54b8ef9: UNSTABLE
Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure. |
Changes are ready for review! |
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-12627-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 c00e8631b42e0a12039b8f5796e5b54f429e2a1f
# Push it to GitHub
git push --set-upstream origin backport/backport-12627-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x Then, create a pull request where the |
* Bump up commons-compress to 1.26.0 to fix CVE Signed-off-by: Aman Khare <[email protected]> * Change log entry Signed-off-by: Aman Khare <[email protected]> * Update ignoreMissingClasses Signed-off-by: Aman Khare <[email protected]> * Update commons-codec and commons-lang3 dependencies also Signed-off-by: Aman Khare <[email protected]> * Upgrade commons-codec to 1.16.1 Signed-off-by: Aman Khare <[email protected]> * Add commons-io dependency in plugin-cli build.gradle Signed-off-by: Sandesh Kumar <[email protected]> * Revert "Update ignoreMissingClasses" This reverts commit d92fbda. Signed-off-by: Sandesh Kumar <[email protected]> * Adding SHA for commons-io-2.15.1.jar Signed-off-by: Sandesh Kumar <[email protected]> * adding license, notice files for commons-io Signed-off-by: Sandesh Kumar <[email protected]> * Add missing classes for thirdPartyAudit Signed-off-by: Sandesh Kumar <[email protected]> * Refactor Signed-off-by: Sandesh Kumar <[email protected]> * Test commit - to be reverted Signed-off-by: Sandesh Kumar <[email protected]> * Bump commons-compress to 1.26.1, tika to 2.9.1 Signed-off-by: Sandesh Kumar <[email protected]> * Remove Charsets class from exclusion list - not missing Signed-off-by: Sandesh Kumar <[email protected]> * Update tika to 2.9.2 Signed-off-by: Sandesh Kumar <[email protected]> * commons-io 2.16.0 Signed-off-by: Sandesh Kumar <[email protected]> * Refactor commons-io dependency mentions to avoid manual version setting/update Signed-off-by: Sandesh Kumar <[email protected]> --------- Signed-off-by: Aman Khare <[email protected]> Signed-off-by: Sandesh Kumar <[email protected]> Co-authored-by: Aman Khare <[email protected]> Signed-off-by: Sandesh Kumar <[email protected]>
* Bump up commons-compress to 1.26.0 to fix CVE * Change log entry * Update ignoreMissingClasses * Update commons-codec and commons-lang3 dependencies also * Upgrade commons-codec to 1.16.1 * Add commons-io dependency in plugin-cli build.gradle * Revert "Update ignoreMissingClasses" This reverts commit d92fbda. * Adding SHA for commons-io-2.15.1.jar * adding license, notice files for commons-io * Add missing classes for thirdPartyAudit * Refactor * Test commit - to be reverted * Bump commons-compress to 1.26.1, tika to 2.9.1 * Remove Charsets class from exclusion list - not missing * Update tika to 2.9.2 * commons-io 2.16.0 * Refactor commons-io dependency mentions to avoid manual version setting/update --------- Signed-off-by: Aman Khare <[email protected]> Signed-off-by: Sandesh Kumar <[email protected]> Co-authored-by: Aman Khare <[email protected]>
* Bump up commons-compress to 1.26.0 to fix CVE Signed-off-by: Aman Khare <[email protected]> * Change log entry Signed-off-by: Aman Khare <[email protected]> * Update ignoreMissingClasses Signed-off-by: Aman Khare <[email protected]> * Update commons-codec and commons-lang3 dependencies also Signed-off-by: Aman Khare <[email protected]> * Upgrade commons-codec to 1.16.1 Signed-off-by: Aman Khare <[email protected]> * Add commons-io dependency in plugin-cli build.gradle Signed-off-by: Sandesh Kumar <[email protected]> * Revert "Update ignoreMissingClasses" This reverts commit d92fbda. Signed-off-by: Sandesh Kumar <[email protected]> * Adding SHA for commons-io-2.15.1.jar Signed-off-by: Sandesh Kumar <[email protected]> * adding license, notice files for commons-io Signed-off-by: Sandesh Kumar <[email protected]> * Add missing classes for thirdPartyAudit Signed-off-by: Sandesh Kumar <[email protected]> * Refactor Signed-off-by: Sandesh Kumar <[email protected]> * Test commit - to be reverted Signed-off-by: Sandesh Kumar <[email protected]> * Bump commons-compress to 1.26.1, tika to 2.9.1 Signed-off-by: Sandesh Kumar <[email protected]> * Remove Charsets class from exclusion list - not missing Signed-off-by: Sandesh Kumar <[email protected]> * Update tika to 2.9.2 Signed-off-by: Sandesh Kumar <[email protected]> * commons-io 2.16.0 Signed-off-by: Sandesh Kumar <[email protected]> * Refactor commons-io dependency mentions to avoid manual version setting/update Signed-off-by: Sandesh Kumar <[email protected]> --------- Signed-off-by: Aman Khare <[email protected]> Signed-off-by: Sandesh Kumar <[email protected]> Co-authored-by: Aman Khare <[email protected]> Signed-off-by: Shivansh Arora <[email protected]>
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-1.3 1.3
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-1.3
# Create a new branch
git switch --create backport/backport-12627-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 c00e8631b42e0a12039b8f5796e5b54f429e2a1f
# Push it to GitHub
git push --set-upstream origin backport/backport-12627-to-1.3
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-1.3 Then, create a pull request where the |
Description
Follow-up on #12604, Bump common-compress package to 1.26.1 to fix CVE:
https://nvd.nist.gov/vuln/detail/CVE-2024-26308 NVD / Published Date:02/19/2024
https://nvd.nist.gov/vuln/detail/CVE-2024-25710 NVD / Published Date: 02/19/2024
Tika has been upgraded to latest release since any previous release were failing with required commons-compress upgrade. Also, other dependencies with ingest-attachement (with Tika) were upgraded to resolve minor future CVEs and test errors.
Related Issues
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.