Fix spring jar security vulnerabilities #24112

NivinCS · 2024-11-21T10:47:38Z

Description

Fixing OSS CVEs for critical, high, and medium transitive vulnerabilities in the benchto-driver jar originating from Spring JARs

Motivation and Context

CVE-2016-1000027
CVE-2018-1272
CVE-2022-22970
CVE-2024-22243
CVE-2024-22259
CVE-2021-22096
CVE-2024-8184
CVE-2024-6763
CVE-2021-22060
CVE-2024-22262
CVE-2021-22096
CVE-2023-20883
WS-2021-0170
CVE-2018-1199
CVE-2022-22965
CVE-2024-6763
CVE-2015-5211
CVE-2015-3192
CVE-2022-27772
CVE-2020-5421
CVE-2024-38809
CVE-2022-22970

Impact

Test Plan

Contributor checklist

Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
Documented new properties (with its default value), SQL syntax, functions, or other functionality.
If release notes are required, they follow the release notes guidelines.
Adequate tests were added if applicable.
CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==
Security Changes
* Fix for `CVE-2016-1000027 <https://www.mend.io/vulnerability-database/CVE-2016-1000027>`_. :pr:`24112`
* Fix for `CVE-2018-1272 <https://www.mend.io/vulnerability-database/CVE-2018-1272>`_. :pr:`24112`
* Fix for `CVE-2022-22970 <https://www.mend.io/vulnerability-database/CVE-2022-22970>`_. :pr:`24112`
* Fix for `CVE-2024-22243 <https://www.mend.io/vulnerability-database/CVE-2024-22243>`_. :pr:`24112`
* Fix for `CVE-2024-22259 <https://www.mend.io/vulnerability-database/CVE-2024-22259>`_. :pr:`24112`
* Fix for `CVE-2021-22096 <https://www.mend.io/vulnerability-database/CVE-2021-22096>`_. :pr:`24112`
* Fix for `CVE-2024-8184 <https://www.mend.io/vulnerability-database/CVE-2024-8184>`_. :pr:`24112`
* Fix for `CVE-2024-6763 <https://www.mend.io/vulnerability-database/CVE-2024-6763>`_. :pr:`24112`
* Fix for `CVE-2021-22060 <https://www.mend.io/vulnerability-database/CVE-2021-22060>`_. :pr:`24112`
* Fix for `CVE-2024-22262 <https://www.mend.io/vulnerability-database/CVE-2024-22262>`_. :pr:`24112`
* Fix for `CVE-2021-22096 <https://www.mend.io/vulnerability-database/CVE-2021-22096>`_. :pr:`24112`
* Fix for `CVE-2023-20883 <https://www.mend.io/vulnerability-database/CVE-2023-20883>`_. :pr:`24112`
* Fix for `CVE-2021-0170 <https://www.mend.io/vulnerability-database/CVE-2021-0170>`_. :pr:`24112`
* Fix for `CVE-2018-1199 <https://www.mend.io/vulnerability-database/CVE-2018-1199>`_. :pr:`24112`
* Fix for `CVE-2024-6763 <https://www.mend.io/vulnerability-database/CVE-2024-6763>`_. :pr:`24112`
* Fix for `CVE-2015-5211 <https://www.mend.io/vulnerability-database/CVE-2015-5211>`_. :pr:`24112`
* Fix for `CVE-2015-3192 <https://www.mend.io/vulnerability-database/CVE-2015-3192>`_. :pr:`24112`
* Fix for `CVE-2022-27772 <https://www.mend.io/vulnerability-database/CVE-2022-27772>`_. :pr:`24112`
* Fix for `CVE-2020-5421 <https://www.mend.io/vulnerability-database/CVE-2020-5421>`_. :pr:`24112`
* Fix for `CVE-2024-38809 <https://www.mend.io/vulnerability-database/CVE-2024-38809>`_. :pr:`24112`
* Fix for `CVE-2022-22965 <https://www.mend.io/vulnerability-database/CVE-2022-22965>`_. :pr:`24112`
* Fix for `CVE-2022-22970 <https://www.mend.io/vulnerability-database/CVE-2022-22970>`_. :pr:`24112`

steveburnett · 2024-11-21T16:52:04Z

Suggest adding a release note entry that links to the CVE. Something in the format of the following example:

== RELEASE NOTES ==
Security Changes
* Upgrade okio to 3.6.0 in response to `CVE-2023-3635 <https://github.com/advisories/GHSA-w33c-445m-f8w7>`_. :pr:`23796`

jp-sivaprasad

Please add references to CVEs that are fixed.

NivinCS · 2024-11-23T03:51:10Z

Please add references to CVEs that are fixed.

Done

NivinCS · 2024-11-23T03:51:30Z

Suggest adding a release note entry that links to the CVE. Something in the format of the following example:
== RELEASE NOTES ==
Security Changes
* Upgrade okio to 3.6.0 in response to `CVE-2023-3635 <https://github.com/advisories/GHSA-w33c-445m-f8w7>`_. :pr:`23796`

Done

tdcmeehan · 2024-11-25T14:59:50Z

Please squash these commits and make sure the commit message follows our guidelines in contributing.

yingsu00

@NivinCS Please also read https://github.com/prestodb/presto/wiki/Release-Notes-Guidelines and update the release note accordingly. The phrase should start with Fix...
Also the PR message should also use imperative present tense.

NivinCS · 2024-11-26T06:47:08Z

@NivinCS Please also read https://github.com/prestodb/presto/wiki/Release-Notes-Guidelines and update the release note accordingly. The phrase should start with Fix... Also the PR message should also use imperative present tense.

Done

NivinCS · 2024-11-26T06:47:24Z

Please squash these commits and make sure the commit message follows our guidelines in contributing.

Done

yingsu00

Release note
Fix for ...
==>
Fix ...
cc @steveburnett

NivinCS · 2024-11-27T04:44:35Z

Release note Fix for ... ==> Fix ... cc @steveburnett

Hi @steveburnett / @yingsu00 ,

Could you please confirm the same, as we get the general template for release note as below

== RELEASE NOTES ==

General Changes

... :pr:12345
... :pr:12345

Hive Connector Changes

... :pr:12345
... :pr:12345

prestodb-ci added the from:IBM PR from IBM label Nov 21, 2024

prestodb-ci requested review from a team and jp-sivaprasad and removed request for a team November 21, 2024 10:47

jp-sivaprasad previously approved these changes Nov 21, 2024

View reviewed changes

NivinCS dismissed jp-sivaprasad’s stale review via 17c8ef5 November 22, 2024 06:53

NivinCS marked this pull request as ready for review November 22, 2024 09:31

NivinCS requested a review from a team as a code owner November 22, 2024 09:31

NivinCS requested a review from presto-oss November 22, 2024 09:31

jp-sivaprasad previously approved these changes Nov 22, 2024

View reviewed changes

yingsu00 reviewed Nov 26, 2024

View reviewed changes

NivinCS changed the title ~~oss cve fix for spring jars~~ Fix spring jar security vulnerabilities Nov 26, 2024

NivinCS dismissed jp-sivaprasad’s stale review via 0b76a8d November 26, 2024 05:47

NivinCS force-pushed the cve-fix-oss-spring branch 3 times, most recently from e8cabf9 to 7f1ad6c Compare November 26, 2024 05:54

Fix spring jar security vulnerabilities

6d44d7d

NivinCS force-pushed the cve-fix-oss-spring branch from 7f1ad6c to 6d44d7d Compare November 26, 2024 06:43

yingsu00 reviewed Nov 27, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix spring jar security vulnerabilities #24112

Fix spring jar security vulnerabilities #24112

NivinCS commented Nov 21, 2024 •

edited

Loading

steveburnett commented Nov 21, 2024

jp-sivaprasad left a comment

NivinCS commented Nov 23, 2024

NivinCS commented Nov 23, 2024

tdcmeehan commented Nov 25, 2024

yingsu00 left a comment

NivinCS commented Nov 26, 2024

NivinCS commented Nov 26, 2024

yingsu00 left a comment

NivinCS commented Nov 27, 2024 •

edited

Loading

Fix spring jar security vulnerabilities #24112

Are you sure you want to change the base?

Fix spring jar security vulnerabilities #24112

Conversation

NivinCS commented Nov 21, 2024 • edited Loading

Description

Motivation and Context

Impact

Test Plan

Contributor checklist

Release Notes

steveburnett commented Nov 21, 2024

jp-sivaprasad left a comment

Choose a reason for hiding this comment

NivinCS commented Nov 23, 2024

NivinCS commented Nov 23, 2024

tdcmeehan commented Nov 25, 2024

yingsu00 left a comment

Choose a reason for hiding this comment

NivinCS commented Nov 26, 2024

NivinCS commented Nov 26, 2024

yingsu00 left a comment

Choose a reason for hiding this comment

NivinCS commented Nov 27, 2024 • edited Loading

NivinCS commented Nov 21, 2024 •

edited

Loading

NivinCS commented Nov 27, 2024 •

edited

Loading