From eb9bcf90b130c340a1e186f89c95c949c9f8dc64 Mon Sep 17 00:00:00 2001 From: Automatic Dependency Updater Date: Tue, 19 Mar 2024 02:08:39 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=90=20Update=20dependencies=20to=20fix?= =?UTF-8?q?=20vulnerabilities?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- dependencies.md | 6 +- doc/changes/changelog.md | 1 + doc/changes/changes_2.7.11.md | 65 ++++++++++++++ doc/user_guide/user_guide.md | 20 ++--- pk_generated_parent.pom | 2 +- pom.xml | 154 ++++++++++++---------------------- 6 files changed, 135 insertions(+), 113 deletions(-) create mode 100644 doc/changes/changes_2.7.11.md diff --git a/dependencies.md b/dependencies.md index 52a4df34..9928e814 100644 --- a/dependencies.md +++ b/dependencies.md @@ -26,14 +26,14 @@ | [Alluxio Core - Client - HDFS][17] | [Apache License][18] | | [Metrics Core][19] | [Apache License 2.0][10] | | [Protocol Buffers [Core]][20] | [BSD-3-Clause][21] | -| [gcs-connector-hadoop3][22] | [Apache License, Version 2.0][5] | +| [gcs-connector][22] | [Apache License, Version 2.0][3] | | [Google OAuth Client Library for Java][23] | [The Apache Software License, Version 2.0][3] | | [ORC Core][24] | [Apache License, Version 2.0][3] | | [Apache Avro][25] | [Apache-2.0][3] | | [Apache Commons Compress][26] | [Apache-2.0][3] | | [Nimbus JOSE+JWT][27] | [The Apache Software License, Version 2.0][3] | | [delta-core][28] | [Apache-2.0][29] | -| [Spark Project SQL][30] | [Apache 2.0 License][31] | +| [Spark Project SQL][30] | [Apache-2.0][31] | | [Apache Ivy][32] | [The Apache Software License, Version 2.0][5] | | [Parquet for Java][33] | [MIT License][34] | | [JUL to SLF4J bridge][35] | [MIT License][36] | @@ -129,7 +129,7 @@ [19]: https://metrics.dropwizard.io/metrics-core [20]: https://developers.google.com/protocol-buffers/protobuf-java/ [21]: https://opensource.org/licenses/BSD-3-Clause -[22]: https://github.com/GoogleCloudPlatform/BigData-interop/gcs-connector/ +[22]: https://github.com/GoogleCloudDataproc/hadoop-connectors/gcs-connector [23]: https://github.com/googleapis/google-oauth-java-client/google-oauth-client [24]: https://orc.apache.org/orc-core [25]: https://avro.apache.org diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index 4400e3a5..66d3ad2b 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [2.7.11](changes_2.7.11.md) * [2.7.10](changes_2.7.10.md) * [2.7.9](changes_2.7.9.md) * [2.7.8](changes_2.7.8.md) diff --git a/doc/changes/changes_2.7.11.md b/doc/changes/changes_2.7.11.md new file mode 100644 index 00000000..93e43335 --- /dev/null +++ b/doc/changes/changes_2.7.11.md @@ -0,0 +1,65 @@ +# Cloud Storage Extension 2.7.11, released 2024-??-?? + +Code name: Fixed vulnerability CVE-2024-23944 in org.apache.zookeeper:zookeeper:jar:3.9.1:compile + +## Summary + +This release fixes the following vulnerability: + +### CVE-2024-23944 (CWE-200) in dependency `org.apache.zookeeper:zookeeper:jar:3.9.1:compile` +Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. + +Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue. + +#### References +* https://ossindex.sonatype.org/vulnerability/CVE-2024-23944?component-type=maven&component-name=org.apache.zookeeper%2Fzookeeper&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 +* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23944 +* https://github.com/advisories/GHSA-r978-9m6m-6gm6 + +## Security + +* #300: Fixed vulnerability CVE-2024-23944 in dependency `org.apache.zookeeper:zookeeper:jar:3.9.1:compile` + +## Dependency Updates + +### Cloud Storage Extension + +#### Compile Dependency Updates + +* Updated `com.exasol:parquet-io-java:2.0.6` to `2.0.7` +* Updated `com.google.cloud.bigdataoss:gcs-connector:1.9.4-hadoop3` to `3.0.0` +* Updated `com.google.guava:guava:32.1.3-jre` to `33.1.0-jre` +* Updated `com.google.oauth-client:google-oauth-client:1.34.1` to `1.35.0` +* Updated `com.google.protobuf:protobuf-java:3.25.1` to `4.26.0` +* Updated `io.dropwizard.metrics:metrics-core:4.2.23` to `4.2.25` +* Updated `io.grpc:grpc-netty:1.60.0` to `1.62.2` +* Updated `io.netty:netty-handler:4.1.101.Final` to `4.1.107.Final` +* Updated `org.alluxio:alluxio-core-client-hdfs:300` to `311` +* Updated `org.apache.commons:commons-compress:1.26.0` to `1.26.1` +* Updated `org.apache.logging.log4j:log4j-1.2-api:2.22.0` to `2.23.1` +* Updated `org.apache.logging.log4j:log4j-api:2.22.0` to `2.23.1` +* Updated `org.apache.logging.log4j:log4j-core:2.22.0` to `2.23.1` +* Updated `org.apache.orc:orc-core:1.9.2` to `2.0.0` +* Updated `org.apache.spark:spark-sql_2.13:3.4.1` to `3.5.1` +* Updated `org.apache.zookeeper:zookeeper:3.9.1` to `3.9.2` +* Updated `org.jetbrains.kotlin:kotlin-stdlib:1.9.21` to `1.9.23` +* Updated `org.scala-lang:scala-library:2.13.11` to `2.13.13` +* Updated `org.slf4j:jul-to-slf4j:2.0.9` to `2.0.12` + +#### Runtime Dependency Updates + +* Updated `ch.qos.logback:logback-classic:1.2.13` to `1.5.3` +* Updated `ch.qos.logback:logback-core:1.2.13` to `1.5.3` + +#### Test Dependency Updates + +* Updated `com.dimafeng:testcontainers-scala-scalatest_2.13:0.41.0` to `0.41.3` +* Updated `com.exasol:exasol-testcontainers:7.0.0` to `7.0.1` +* Updated `com.exasol:extension-manager-integration-test-java:0.5.7` to `0.5.8` +* Updated `com.exasol:hamcrest-resultset-matcher:1.6.3` to `1.6.5` +* Updated `com.exasol:test-db-builder-java:3.5.3` to `3.5.4` +* Updated `nl.jqno.equalsverifier:equalsverifier:3.15.4` to `3.15.8` +* Updated `org.glassfish.jersey.core:jersey-common:2.41` to `3.1.5` +* Updated `org.junit.jupiter:junit-jupiter-engine:5.10.1` to `5.10.2` +* Updated `org.mockito:mockito-core:5.8.0` to `5.11.0` +* Updated `org.testcontainers:localstack:1.19.3` to `1.19.7` diff --git a/doc/user_guide/user_guide.md b/doc/user_guide/user_guide.md index c3d6005b..d6fc965f 100644 --- a/doc/user_guide/user_guide.md +++ b/doc/user_guide/user_guide.md @@ -150,7 +150,7 @@ downloaded jar file is the same as the checksum provided in the releases. To check the SHA256 result of the local jar, run the command: ```sh -sha256sum exasol-cloud-storage-extension-2.7.10.jar +sha256sum exasol-cloud-storage-extension-2.7.11.jar ``` ### Building From Source @@ -180,7 +180,7 @@ mvn clean package -DskipTests=true ``` The assembled jar file should be located at -`target/exasol-cloud-storage-extension-2.7.10.jar`. +`target/exasol-cloud-storage-extension-2.7.11.jar`. ### Create an Exasol Bucket @@ -202,7 +202,7 @@ for the HTTP protocol. Upload the jar file using curl command: ```sh -curl -X PUT -T exasol-cloud-storage-extension-2.7.10.jar \ +curl -X PUT -T exasol-cloud-storage-extension-2.7.11.jar \ http://w:@exasol.datanode.domain.com:2580// ``` @@ -234,7 +234,7 @@ OPEN SCHEMA CLOUD_STORAGE_EXTENSION; CREATE OR REPLACE JAVA SET SCRIPT IMPORT_PATH(...) EMITS (...) AS %scriptclass com.exasol.cloudetl.scriptclasses.FilesImportQueryGenerator; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.11.jar; / CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS ( @@ -244,12 +244,12 @@ CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS ( end_index DECIMAL(36, 0) ) AS %scriptclass com.exasol.cloudetl.scriptclasses.FilesMetadataReader; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.11.jar; / CREATE OR REPLACE JAVA SET SCRIPT IMPORT_FILES(...) EMITS (...) AS %scriptclass com.exasol.cloudetl.scriptclasses.FilesDataImporter; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.11.jar; / ``` @@ -268,12 +268,12 @@ OPEN SCHEMA CLOUD_STORAGE_EXTENSION; CREATE OR REPLACE JAVA SET SCRIPT EXPORT_PATH(...) EMITS (...) AS %scriptclass com.exasol.cloudetl.scriptclasses.TableExportQueryGenerator; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.11.jar; / CREATE OR REPLACE JAVA SET SCRIPT EXPORT_TABLE(...) EMITS (ROWS_AFFECTED INT) AS %scriptclass com.exasol.cloudetl.scriptclasses.TableDataExporter; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.11.jar; / ``` @@ -407,13 +407,13 @@ CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS ( ) AS %jvmoption -DHTTPS_PROXY=http://username:password@10.10.1.10:1180 %scriptclass com.exasol.cloudetl.scriptclasses.FilesMetadataReader; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.11.jar; / CREATE OR REPLACE JAVA SET SCRIPT IMPORT_FILES(...) EMITS (...) AS %jvmoption -DHTTPS_PROXY=http://username:password@10.10.1.10:1180 %scriptclass com.exasol.cloudetl.scriptclasses.FilesDataImporter; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.11.jar; / ``` diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index 5d42a051..60d4a465 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol cloud-storage-extension-generated-parent - 2.7.10 + 2.7.11 pom UTF-8 diff --git a/pom.xml b/pom.xml index 3412e66d..2692413b 100644 --- a/pom.xml +++ b/pom.xml @@ -1,29 +1,29 @@ 4.0.0 + + com.exasol + cloud-storage-extension-generated-parent + 2.7.11 + pk_generated_parent.pom + com.exasol cloud-storage-extension - 2.7.10 + 2.7.11 Cloud Storage Extension Exasol Cloud Storage Import And Export Extension https://github.com/exasol/cloud-storage-extension/ - - cloud-storage-extension-generated-parent - com.exasol - 2.7.10 - pk_generated_parent.pom - - 2.13.11 + src/test/,extension/src 2.13 - 3.3.6 - 2.22.0 - 1.2.13 + extension/coverage/lcov.info + 2.23.1 src/main/,extension/src/ - extension/src/*.test.ts - src/test/,extension/src src/test/,*.test.ts - extension/coverage/lcov.info + 2.13.13 + 1.5.3 + 3.3.6 + extension/src/*.test.ts @@ -39,19 +39,17 @@ com.google.guava guava - 32.1.3-jre + 33.1.0-jre - io.grpc grpc-netty - 1.60.0 + 1.62.2 - io.netty netty-handler - 4.1.101.Final + 4.1.107.Final org.xerial.snappy @@ -118,14 +116,10 @@ jettison - - javax.ws.rs jsr311-api - - com.sun.jersey jersey-server @@ -158,12 +152,10 @@ commons-logging - org.slf4j slf4j-api - org.slf4j slf4j-reload4j @@ -175,20 +167,17 @@ ${hadoop.version} - org.apache.zookeeper zookeeper - 3.9.1 + 3.9.2 - ch.qos.logback logback-classic ${logback.version} runtime - ch.qos.logback logback-core ${logback.version} @@ -203,7 +192,6 @@ org.codehaus.jackson jackson-mapper-asl - org.apache.hadoop.thirdparty hadoop-shaded-guava @@ -237,12 +225,9 @@ jetty-server - - com.sun.jersey jersey-server - javax.servlet javax.servlet-api @@ -266,29 +251,25 @@ hadoop-hdfs-client ${hadoop.version} - com.fasterxml.jackson.core jackson-annotations - com.squareup.okio okio - org.jetbrains.kotlin kotlin-stdlib - 1.9.21 + 1.9.23 - org.alluxio alluxio-core-client-hdfs - 300 + 311 log4j @@ -327,11 +308,9 @@ grpc-core - com.rabbitmq amqp-client - javax.inject javax.inject @@ -373,36 +352,33 @@ io.dropwizard.metrics metrics-core - 4.2.23 + 4.2.25 com.google.protobuf protobuf-java - 3.25.1 + 4.26.0 com.google.cloud.bigdataoss gcs-connector - 1.9.4-hadoop3 + 3.0.0 - com.google.oauth-client google-oauth-client - 1.34.1 + 1.35.0 org.apache.orc orc-core - 1.9.2 + 2.0.0 - org.slf4j slf4j-api - org.apache.hadoop hadoop-client-api @@ -413,7 +389,6 @@ avro 1.11.3 - com.fasterxml.jackson.core jackson-core @@ -425,13 +400,11 @@ - org.apache.commons commons-compress - 1.26.0 + 1.26.1 - com.nimbusds nimbus-jose-jwt 9.37.3 @@ -444,8 +417,7 @@ org.apache.spark spark-sql_${scala.compat.version} - 3.4.1 - + 3.5.1 org.spark-project.spark @@ -463,7 +435,6 @@ org.apache.commons commons-compress - org.apache.hadoop hadoop-client-api @@ -483,7 +454,6 @@ - org.apache.ivy ivy 2.5.2 @@ -491,12 +461,12 @@ com.exasol parquet-io-java - 2.0.6 + 2.0.7 org.slf4j jul-to-slf4j - 2.0.9 + 2.0.12 org.apache.logging.log4j @@ -518,7 +488,6 @@ scala-logging_${scala.compat.version} 3.9.5 - org.scalatest scalatest_${scala.compat.version} @@ -534,7 +503,7 @@ org.mockito mockito-core - 5.8.0 + 5.11.0 test @@ -546,43 +515,43 @@ com.dimafeng testcontainers-scala-scalatest_${scala.compat.version} - 0.41.0 + 0.41.3 test org.testcontainers localstack - 1.19.3 + 1.19.7 test com.exasol exasol-testcontainers - 7.0.0 + 7.0.1 test com.exasol test-db-builder-java - 3.5.3 + 3.5.4 test com.exasol hamcrest-resultset-matcher - 1.6.3 + 1.6.5 test nl.jqno.equalsverifier equalsverifier - 3.15.4 + 3.15.8 test org.junit.jupiter junit-jupiter-engine - 5.10.1 + 5.10.2 test @@ -594,14 +563,13 @@ com.exasol extension-manager-integration-test-java - 0.5.7 + 0.5.8 test - org.glassfish.jersey.core jersey-common - 2.41 + 3.1.5 test @@ -681,10 +649,6 @@ org.scalatest scalatest-maven-plugin 2.2.0 - - . - -Djava.util.logging.config.file=src/test/resources/logging.properties --add-exports java.base/sun.nio.ch=ALL-UNNAMED ${argLine} - test @@ -710,9 +674,12 @@ + + . + -Djava.util.logging.config.file=src/test/resources/logging.properties --add-exports java.base/sun.nio.ch=ALL-UNNAMED ${argLine} + - org.apache.maven.plugins maven-javadoc-plugin 3.6.3 @@ -725,7 +692,6 @@ - org.apache.maven.plugins maven-surefire-plugin @@ -738,7 +704,6 @@ - org.apache.maven.plugins maven-failsafe-plugin false @@ -746,7 +711,6 @@ - org.apache.maven.plugins maven-assembly-plugin exasol-${project.artifactId}-${project.version} @@ -758,16 +722,8 @@ ${ossindex.skip} - - - CVE-2023-33546 - - - CVE-2020-36641 - - CVE-2023-4586 @@ -822,6 +778,13 @@ org.scalastyle scalastyle-maven-plugin 1.0.0 + + + + check + + + false true @@ -833,6 +796,11 @@ ${project.build.directory}/scalastyle-output.xml UTF-8 + + + com.diffplug.spotless + spotless-maven-plugin + 2.41.0 @@ -840,11 +808,6 @@ - - - com.diffplug.spotless - spotless-maven-plugin - 2.41.0 @@ -852,13 +815,6 @@ - - - - check - - - io.github.evis