Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix CVE-2023-42503 by using Apache Commons Compress 1.24.0 #2560

Merged
merged 1 commit into from
Oct 20, 2023
Merged

fix CVE-2023-42503 by using Apache Commons Compress 1.24.0 #2560

merged 1 commit into from
Oct 20, 2023

Conversation

alwibrm
Copy link
Contributor

@alwibrm alwibrm commented Oct 19, 2023

Apache Commons Compress 1.22 is vulnerable to CVE-2023-42503. Fix by using version 1.24.0.

@github-actions github-actions bot added Java Pull Requests for Java binding build labels Oct 19, 2023
@KalleOlaviNiemitalo
Copy link
Contributor

The vulnerability reportedly affects only applications that use CompressorStreamFactory, TarArchiveInputStream, or TarFile. The Avro source code has never referenced any of those classes, so the vulnerability seems impossible to exploit via Avro.

No comment on whether this PR should be merged.

Fokko
Fokko approved these changes Oct 19, 2023
View reviewed changes
Copy link
Contributor

@Fokko Fokko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alwibrm Thanks for raising this PR 👍

@KalleOlaviNiemitalo Thanks for tracking that down, that's very helpful. I think it is good to get this in any way to keep up to date. Also, probably people will get false positive CVE alerts if they have this dependency being pulled in.

clesaec
clesaec reviewed Oct 20, 2023
View reviewed changes
Copy link
Contributor

@clesaec clesaec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@clesaec
Copy link
Contributor

clesaec commented Oct 20, 2023

@alwibrm : Is there any JIRA associated with this PR ? If not, could you create one ? (or i can do it if you want).
(JIRA is usefull to follow change in project)

@alwibrm
Copy link
Contributor Author

alwibrm commented Oct 20, 2023

@clesaec I have not created a Jira issue for this. Yesterday I intended to do so and realized too late that there was a self service for registration. I would appreciate when you would create one, thank you very much.

@clesaec clesaec merged commit 369ae56 into apache:main Oct 20, 2023
14 checks passed
@clesaec
Copy link
Contributor

clesaec commented Oct 20, 2023

i created this JIRA and merge this PR

@alwibrm alwibrm deleted the bug/fix-cve-2023-42503 branch October 20, 2023 12:29
RyanSkraba pushed a commit that referenced this pull request Oct 24, 2023
@alwibrm @RyanSkraba
fix CVE-2023-42503 by using Apache Commons Compress 1.24.0 (#2560)
9480d15
RanbirK pushed a commit to RanbirK/avro that referenced this pull request May 13, 2024
@alwibrm
fix CVE-2023-42503 by using Apache Commons Compress 1.24.0 (apache#2560)
320bda1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clesaec clesaec clesaec left review comments

@Fokko Fokko Fokko approved these changes

@martin-g martin-g martin-g approved these changes

Assignees
No one assigned
Labels
build Java Pull Requests for Java binding
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@alwibrm @KalleOlaviNiemitalo @clesaec @martin-g @Fokko