Re: Critical/High impact vulnerabilities in 5.1.x branch

2024-02-20 Thread Viraj Jasani
5.2 release branch is created. Please feel free to build the artifacts for the local testing purpose. We should likely have 5.2.0 release in about a week’s time. On Mon, Feb 19, 2024 at 9:40 PM Istvan Toth wrote: > While that may be true for Jackson, it generally is not true for all >

Re: Critical/High impact vulnerabilities in 5.1.x branch

2024-02-19 Thread Istvan Toth
While that may be true for Jackson, it generally is not true for all components. Replacing dependencies is sometimes really as simple as a version update, and sometimes requires extensive code modifications, or re-vamping the dependencies. AFAICT the current de facto policy of the Apache HBase

Re: Critical/High impact vulnerabilities in 5.1.x branch

2024-02-19 Thread Mateusz Gajewski
In Trino we have our own patched Hadoop library (3.3.5 based) but we are slowly removing dependencies on Hadoop from the codebase (it's pretty isolated already). As for the HBase - if Phoenix is shading HBase, for the end user (like Trino) the CVEs are coming from Phoenix, not HBase. Can you

Re: Critical/High impact vulnerabilities in 5.1.x branch

2024-02-19 Thread Istvan Toth
Thanks, Mateusz. The vast majority of these is coming from either HBase or Hadoop. (We always do a CVE pass on the direct Phoenix dependencies before release) Unfortunately, Hadoop is generally not binary compatible between minor releases, so using a newer Hadoop minor release than the default

Re: Critical/High impact vulnerabilities in 5.1.x branch

2024-02-19 Thread Mateusz Gajewski
Rendered: https://github.com/trinodb/trino/pull/20739#issuecomment-1952114587 On Mon, Feb 19, 2024 at 10:43 AM Mateusz Gajewski < mateusz.gajew...@starburstdata.com> wrote: > Yeah, attachment was sent but not delivered. > > Inline version > > "avro" "1.7.7" "java-archive" "CVE-2023-39410"

Re: Critical/High impact vulnerabilities in 5.1.x branch

2024-02-19 Thread Mateusz Gajewski
Yeah, attachment was sent but not delivered. Inline version "avro" "1.7.7" "java-archive" "CVE-2023-39410" "High" "When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue

Re: Critical/High impact vulnerabilities in 5.1.x branch

2024-02-19 Thread Istvan Toth
HI, I can't see an attachment on this email. Istvan On Sun, Feb 18, 2024 at 6:02 PM Mateusz Gajewski < mateusz.gajew...@starburstdata.com> wrote: > Hi Phoenix team, > > I've built and tested upcoming 5.1.4 version by building it from the 5.1 > branch (5.1.3-124-gb6ca402f9) and would like to

Critical/High impact vulnerabilities in 5.1.x branch

2024-02-18 Thread Mateusz Gajewski
Hi Phoenix team, I've built and tested upcoming 5.1.4 version by building it from the 5.1 branch (5.1.3-124-gb6ca402f9) and would like to ask to address several CVEs before releasing 5.1.4. Phoenix integration in Trino ( https://github.com/trinodb/trino) is one of two connectors with really high