Skip to content

CVE-2025-48924: upgrade commons-lang3 to 3.18.0 #3895

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
penghuo merged 3 commits into from
Jul 21, 2025
Merged

CVE-2025-48924: upgrade commons-lang3 to 3.18.0 #3895

penghuo merged 3 commits into from
Jul 21, 2025

Conversation

@LantaoJin
Copy link
Member

@LantaoJin LantaoJin commented Jul 18, 2025
edited
Loading

Description

Fix CVE-2025-48924

opensearch-project/opensearch-build#5637

  • upgrade commons-lang3 to 3.18.0
  • remove commons-lang (introduced by net.hydromatic:aggdesigner-algorithm:6.0 which is not used in our code. aggdesigner is used when the schema contains Lattice entities)

Related Issues

Resolves #[Issue number to be closed when this PR is merged]

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • New functionality has javadoc added.
  • New functionality has a user manual doc added.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@LantaoJin
CVE-2025-48924: upgrade commons-lang3 to 3.18.0
eccea8a 
Signed-off-by: Lantao Jin <ltjin@amazon.com>
@LantaoJin LantaoJin added security fix Security fix generated by WhiteSource enhancement New feature or request labels Jul 18, 2025
@LantaoJin LantaoJin mentioned this pull request Jul 18, 2025
Merged
@LantaoJin LantaoJin marked this pull request as ready for review July 18, 2025 05:27
qianheng-aws
qianheng-aws previously approved these changes Jul 18, 2025
View reviewed changes
@LantaoJin
Exclude the dependency commons-lang
5ed1ae7 
Signed-off-by: Lantao Jin <ltjin@amazon.com>
This was referenced Jul 21, 2025
Merged
Merged
@penghuo penghuo merged commit 96d0d14 into opensearch-project:main Jul 21, 2025
31 of 32 checks passed
@opensearch-trigger-bot
Copy link
Contributor

opensearch-trigger-bot bot commented Jul 21, 2025

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/sql/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/sql/backport-2.x
# Create a new branch
git switch --create backport/backport-3895-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 96d0d1434f7736f8e697722ec8ddd95122be7d2a
# Push it to GitHub
git push --set-upstream origin backport/backport-3895-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/sql/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-3895-to-2.x.

@opensearch-trigger-bot
Copy link
Contributor

opensearch-trigger-bot bot commented Jul 21, 2025

The backport to 2.19-dev failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/sql/backport-2.19-dev 2.19-dev
# Navigate to the new working tree
pushd ../.worktrees/sql/backport-2.19-dev
# Create a new branch
git switch --create backport/backport-3895-to-2.19-dev
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 96d0d1434f7736f8e697722ec8ddd95122be7d2a
# Push it to GitHub
git push --set-upstream origin backport/backport-3895-to-2.19-dev
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/sql/backport-2.19-dev

Then, create a pull request where the base branch is 2.19-dev and the compare/head branch is backport/backport-3895-to-2.19-dev.

LantaoJin added a commit to LantaoJin/search-plugins-sql that referenced this pull request Jul 22, 2025
@LantaoJin
[Backport 2.x] CVE-2025-48924: upgrade commons-lang3 to 3.18.0 (opens…
0ab2a48 
…earch-project#3895)

Signed-off-by: Lantao Jin <ltjin@amazon.com>
@LantaoJin LantaoJin mentioned this pull request Jul 22, 2025
Merged
LantaoJin added a commit to LantaoJin/search-plugins-sql that referenced this pull request Jul 22, 2025
@LantaoJin
CVE-2025-48924: upgrade commons-lang3 to 3.18.0 (opensearch-project#3895
a7cb480 
)

* CVE-2025-48924: upgrade commons-lang3 to 3.18.0

Signed-off-by: Lantao Jin <ltjin@amazon.com>

* Exclude the dependency commons-lang

Signed-off-by: Lantao Jin <ltjin@amazon.com>

---------

Signed-off-by: Lantao Jin <ltjin@amazon.com>
(cherry picked from commit 96d0d14)
@LantaoJin LantaoJin added the backport-manually Filed a PR to backport manually. label Jul 22, 2025
penghuo pushed a commit that referenced this pull request Jul 22, 2025
@LantaoJin
CVE-2025-48924: upgrade commons-lang3 to 3.18.0 (#3895) (#3903)
cc0b66d 
* CVE-2025-48924: upgrade commons-lang3 to 3.18.0



* Exclude the dependency commons-lang



---------


(cherry picked from commit 96d0d14)

Signed-off-by: Lantao Jin <ltjin@amazon.com>
qianheng-aws pushed a commit that referenced this pull request Jul 28, 2025
@LantaoJin
[Backport 2.x] CVE-2025-48924: upgrade commons-lang3 to 3.18.0 (#3895) (
55d62ac 
#3902)

* [Backport 2.x] CVE-2025-48924: upgrade commons-lang3 to 3.18.0 (#3895)

Signed-off-by: Lantao Jin <ltjin@amazon.com>

* enfore resolutionStrategy to 3.18.0

Signed-off-by: Lantao Jin <ltjin@amazon.com>

---------

Signed-off-by: Lantao Jin <ltjin@amazon.com>
@gaiksaya
Copy link
Member

gaiksaya commented Oct 29, 2025

Hi everyone,
Can we please backport to 2.19 branch? Looks like it is showing up there too

@gaiksaya
Copy link
Member

gaiksaya commented Oct 29, 2025

Tried #4693 please see if it makes sense

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@penghuo penghuo penghuo approved these changes

@qianheng-aws qianheng-aws qianheng-aws approved these changes

@ps48 ps48 Awaiting requested review from ps48 ps48 is a code owner

@kavithacm kavithacm Awaiting requested review from kavithacm kavithacm is a code owner

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho is a code owner

@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 is a code owner

@dai-chen dai-chen Awaiting requested review from dai-chen dai-chen is a code owner

@YANG-DB YANG-DB Awaiting requested review from YANG-DB YANG-DB is a code owner

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric is a code owner

@Swiddis Swiddis Awaiting requested review from Swiddis Swiddis is a code owner

@seankao-az seankao-az Awaiting requested review from seankao-az seankao-az is a code owner

@MaxKsyunz MaxKsyunz Awaiting requested review from MaxKsyunz MaxKsyunz is a code owner

@Yury-Fridlyand Yury-Fridlyand Awaiting requested review from Yury-Fridlyand Yury-Fridlyand is a code owner

@anirudha anirudha Awaiting requested review from anirudha anirudha is a code owner

@forestmvey forestmvey Awaiting requested review from forestmvey forestmvey is a code owner

@acarbonetto acarbonetto Awaiting requested review from acarbonetto acarbonetto is a code owner

@GumpacG GumpacG Awaiting requested review from GumpacG GumpacG is a code owner

@ykmr1224 ykmr1224 Awaiting requested review from ykmr1224 ykmr1224 is a code owner

@noCharger noCharger Awaiting requested review from noCharger noCharger is a code owner

Assignees

No one assigned

Labels

backport 2.x backport 2.19-dev backport-failed backport-manually Filed a PR to backport manually. enhancement New feature or request security fix Security fix generated by WhiteSource

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@LantaoJin @gaiksaya @penghuo @qianheng-aws