From 753383fe1ccae5941a8e2f8227dd7830085b775d Mon Sep 17 00:00:00 2001 From: Maxim Lapan Date: Wed, 25 Sep 2024 12:13:17 +0200 Subject: [PATCH 1/3] Update protobuf-java --- doc/changes/changelog.md | 1 + doc/changes/changes_2.8.3.md | 33 +++++++++++++++++++++++++++++++++ doc/user_guide/user_guide.md | 20 ++++++++++---------- pk_generated_parent.pom | 2 +- pom.xml | 14 ++++++++------ 5 files changed, 53 insertions(+), 17 deletions(-) create mode 100644 doc/changes/changes_2.8.3.md diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index bafd6fd9..b811d7e3 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [2.8.3](changes_2.8.3.md) * [2.8.2](changes_2.8.2.md) * [2.8.1](changes_2.8.1.md) * [2.8.0](changes_2.8.0.md) diff --git a/doc/changes/changes_2.8.3.md b/doc/changes/changes_2.8.3.md new file mode 100644 index 00000000..f0d9162f --- /dev/null +++ b/doc/changes/changes_2.8.3.md @@ -0,0 +1,33 @@ +# Cloud Storage Extension 2.8.3, released 2024-09-25 + +Code name: Fixed vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:test + +## Summary + +This release fixes the following vulnerability: + +### CVE-2024-7254 (CWE-20) in dependency `com.google.protobuf:protobuf-java:jar:3.19.6:test` +Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. + +#### References +* https://ossindex.sonatype.org/vulnerability/CVE-2024-7254?component-type=maven&component-name=com.google.protobuf%2Fprotobuf-java&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 +* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-7254 +* https://github.com/advisories/GHSA-735f-pc8j-v9w8 + +## Security + +* #324: CVE-2024-7254: com.google.protobuf:protobuf-java:jar:3.25.4:compile + +## Dependency Updates + +### Cloud Storage Extension + +#### Compile Dependency Updates + +* Removed `com.google.protobuf:protobuf-java:3.25.4` + +#### Test Dependency Updates + +* Updated `com.exasol:exasol-testcontainers:7.1.0` to `7.1.1` +* Updated `com.exasol:hamcrest-resultset-matcher:1.6.5` to `1.7.0` +* Updated `com.exasol:test-db-builder-java:3.5.4` to `3.6.0` diff --git a/doc/user_guide/user_guide.md b/doc/user_guide/user_guide.md index 37babec5..6f935c0b 100644 --- a/doc/user_guide/user_guide.md +++ b/doc/user_guide/user_guide.md @@ -150,7 +150,7 @@ downloaded jar file is the same as the checksum provided in the releases. To check the SHA256 result of the local jar, run the command: ```sh -sha256sum exasol-cloud-storage-extension-2.8.2.jar +sha256sum exasol-cloud-storage-extension-2.8.3.jar ``` ### Building From Source @@ -180,7 +180,7 @@ mvn clean package -DskipTests=true ``` The assembled jar file should be located at -`target/exasol-cloud-storage-extension-2.8.2.jar`. +`target/exasol-cloud-storage-extension-2.8.3.jar`. ### Create an Exasol Bucket @@ -202,7 +202,7 @@ for the HTTP protocol. Upload the jar file using curl command: ```sh -curl -X PUT -T exasol-cloud-storage-extension-2.8.2.jar \ +curl -X PUT -T exasol-cloud-storage-extension-2.8.3.jar \ http://w:@exasol.datanode.domain.com:2580// ``` @@ -234,7 +234,7 @@ OPEN SCHEMA CLOUD_STORAGE_EXTENSION; CREATE OR REPLACE JAVA SET SCRIPT IMPORT_PATH(...) EMITS (...) AS %scriptclass com.exasol.cloudetl.scriptclasses.FilesImportQueryGenerator; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.2.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.3.jar; / CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS ( @@ -244,12 +244,12 @@ CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS ( end_index DECIMAL(36, 0) ) AS %scriptclass com.exasol.cloudetl.scriptclasses.FilesMetadataReader; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.2.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.3.jar; / CREATE OR REPLACE JAVA SET SCRIPT IMPORT_FILES(...) EMITS (...) AS %scriptclass com.exasol.cloudetl.scriptclasses.FilesDataImporter; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.2.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.3.jar; / ``` @@ -268,12 +268,12 @@ OPEN SCHEMA CLOUD_STORAGE_EXTENSION; CREATE OR REPLACE JAVA SET SCRIPT EXPORT_PATH(...) EMITS (...) AS %scriptclass com.exasol.cloudetl.scriptclasses.TableExportQueryGenerator; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.2.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.3.jar; / CREATE OR REPLACE JAVA SET SCRIPT EXPORT_TABLE(...) EMITS (ROWS_AFFECTED INT) AS %scriptclass com.exasol.cloudetl.scriptclasses.TableDataExporter; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.2.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.3.jar; / ``` @@ -407,13 +407,13 @@ CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS ( ) AS %jvmoption -DHTTPS_PROXY=http://username:password@10.10.1.10:1180 %scriptclass com.exasol.cloudetl.scriptclasses.FilesMetadataReader; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.2.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.3.jar; / CREATE OR REPLACE JAVA SET SCRIPT IMPORT_FILES(...) EMITS (...) AS %jvmoption -DHTTPS_PROXY=http://username:password@10.10.1.10:1180 %scriptclass com.exasol.cloudetl.scriptclasses.FilesDataImporter; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.2.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.8.3.jar; / ``` diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index 4d0c1014..e9918bfb 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol cloud-storage-extension-generated-parent - 2.8.2 + 2.8.3 pom UTF-8 diff --git a/pom.xml b/pom.xml index d739f80f..b175dd79 100644 --- a/pom.xml +++ b/pom.xml @@ -3,14 +3,14 @@ 4.0.0 com.exasol cloud-storage-extension - 2.8.2 + 2.8.3 Cloud Storage Extension Exasol Cloud Storage Import And Export Extension https://github.com/exasol/cloud-storage-extension/ cloud-storage-extension-generated-parent com.exasol - 2.8.2 + 2.8.3 pk_generated_parent.pom @@ -406,9 +406,11 @@ 4.2.26 + com.google.protobuf protobuf-java - 3.25.4 + 3.25.5 + provided com.google.cloud.bigdataoss @@ -614,19 +616,19 @@ com.exasol exasol-testcontainers - 7.1.0 + 7.1.1 test com.exasol test-db-builder-java - 3.5.4 + 3.6.0 test com.exasol hamcrest-resultset-matcher - 1.6.5 + 1.7.0 test From 7bcce84bb882e210852f8d526b9c6b5c5c353ebd Mon Sep 17 00:00:00 2001 From: Maxim Lapan Date: Wed, 25 Sep 2024 12:52:16 +0200 Subject: [PATCH 2/3] Protobuf has to be compile dependency --- doc/changes/changes_2.8.3.md | 2 +- pom.xml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/changes/changes_2.8.3.md b/doc/changes/changes_2.8.3.md index f0d9162f..dc51c93b 100644 --- a/doc/changes/changes_2.8.3.md +++ b/doc/changes/changes_2.8.3.md @@ -24,7 +24,7 @@ Any project that parses untrusted Protocol Buffers data containing an arbitrary #### Compile Dependency Updates -* Removed `com.google.protobuf:protobuf-java:3.25.4` +* Updated `com.google.protobuf:protobuf-java:3.25.4` to `3.25.5` #### Test Dependency Updates diff --git a/pom.xml b/pom.xml index b175dd79..19a9e18a 100644 --- a/pom.xml +++ b/pom.xml @@ -410,7 +410,6 @@ com.google.protobuf protobuf-java 3.25.5 - provided com.google.cloud.bigdataoss From e7c8df2240bf4578401a45aaf70147bd568bf6ba Mon Sep 17 00:00:00 2001 From: Maxim Lapan Date: Thu, 26 Sep 2024 10:45:42 +0200 Subject: [PATCH 3/3] Update release date --- doc/changes/changes_2.8.3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/changes/changes_2.8.3.md b/doc/changes/changes_2.8.3.md index dc51c93b..1fa7b3ac 100644 --- a/doc/changes/changes_2.8.3.md +++ b/doc/changes/changes_2.8.3.md @@ -1,4 +1,4 @@ -# Cloud Storage Extension 2.8.3, released 2024-09-25 +# Cloud Storage Extension 2.8.3, released 2024-09-26 Code name: Fixed vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:test