Skip to content

Commit

Permalink
Fix Fix CVE-2023-6378
Browse files Browse the repository at this point in the history
  • Loading branch information
kaklakariada committed Dec 4, 2023
1 parent dd3f4ef commit d107204
Show file tree
Hide file tree
Showing 3 changed files with 97 additions and 63 deletions.
133 changes: 72 additions & 61 deletions dependencies.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 10 additions & 1 deletion doc/changes/changes_2.7.9.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
# Cloud Storage Extension 2.7.9, released 2023-??-??

Code name:
Code name: Fix CVE-2023-6378

## Summary

This release fixes vulnerability CVE-2023-6378 (CWE-502: Deserialization of Untrusted Data (7.1)) in the following dependencies:
* `ch.qos.logback:logback-classic:jar:1.2.10:compile`
* `ch.qos.logback:logback-core:jar:1.2.10:compile`

## Features

* ISSUE_NUMBER: description
Expand All @@ -26,6 +30,11 @@ Code name:
* Updated `org.apache.orc:orc-core:1.9.1` to `1.9.2`
* Updated `org.jetbrains.kotlin:kotlin-stdlib:1.9.20` to `1.9.21`

#### Runtime Dependency Updates

* Added `ch.qos.logback:logback-classic:1.2.13`
* Added `ch.qos.logback:logback-core:1.2.13`

#### Test Dependency Updates

* Updated `com.exasol:exasol-testcontainers:6.6.3` to `7.0.0`
Expand Down
16 changes: 15 additions & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -191,11 +191,25 @@
<version>${hadoop.version}</version>
</dependency>
<dependency>
<!-- override version 3.6.3 to fix vulnerability CVE-2023-42503 -->
<!-- Upgrade transitive dependency of org.apache.hadoop:hadoop-common from default version 3.6.3 to fix CVE-2023-42503 -->
<groupId>org.apache.zookeeper</groupId>
<artifactId>zookeeper</artifactId>
<version>3.9.1</version>
</dependency>
<dependency>
<!-- Upgrade transitive dependency of org.apache.zookeeper:zookeeper to fix CVE-2023-6378 -->
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.2.13</version>
<scope>runtime</scope>
</dependency>
<dependency>
<!-- Upgrade transitive dependency of org.apache.zookeeper:zookeeper to fix CVE-2023-6378 -->
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
<version>1.2.13</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-azure</artifactId>
Expand Down

0 comments on commit d107204

Please sign in to comment.