Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HIVE-28245. Upgrade Spring to 5.3.27 due to CVE. #5237

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

HIVE-28245. Upgrade Spring to 5.3.27 due to CVE. #5237

wants to merge 1 commit into from

Conversation

slfan1989
Copy link
Contributor

What changes were proposed in this pull request?

JIRA: HIVE-28245. Upgrade Spring to 5.3.27 due to CVE.

I found that there are 2 CVE issues in the current Spring version, CVE-2023-20863 and CVE-2023-20861; we can upgrade the Spring version to 5.3.27 to solve this issue.

CVE-2023-20861

CVE-2023-20863

Why are the changes needed?

We need to upgrade to resolve CVE Issue.

Does this PR introduce any user-facing change?

No.

Is the change a dependency upgrade?

No.

How was this patch tested?

Compile locally

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented May 5, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@Aggarwal-Raghav
Copy link
Contributor

Thanks for the PR @slfan1989. As this is a dependency upgrade, can you change the description and based on HIVE-27419, can you attach the dependency tree in the PR?

@Aggarwal-Raghav
Copy link
Contributor 

org.apache.atlas:atlas-intg:jar:2.3.0:compile
[INFO] |  |  |  |  +- commons-validator:commons-validator:jar:1.6:compile
[INFO] |  |  |  |  |  \- commons-digester:commons-digester:jar:1.8.1:compile
[INFO] |  |  |  |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.16.1:compile
[INFO] |  |  |  |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  |  |  |  \- org.springframework:spring-context:jar:5.3.21:compile
[INFO] |  |  |  |     +- org.springframework:spring-aop:jar:5.3.21:compile
[INFO] |  |  |  |     +- org.springframework:spring-beans:jar:5.3.21:compile
[INFO] |  |  |  |     \- org.springframework:spring-expression:jar:5.3.21:compile

atlas is still bringing spring 5.3.21 and due to it, lib dir contains both the version of spring.

spring-aop-5.3.21.jar
spring-beans-5.3.21.jar
spring-context-5.3.21.jar
spring-core-5.3.27.jar
spring-expression-5.3.21.jar
spring-jcl-5.3.27.jar
spring-jdbc-5.3.27.jar
spring-tx-5.3.27.jar

@slfan1989
Copy link
Contributor Author

Thanks for the PR @slfan1989. As this is a dependency upgrade, can you change the description and based on HIVE-27419, can you attach the dependency tree in the PR?

Thank you for suggestions! I will continue to improve this pr.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
tests passed
Projects
None yet
Milestone
No milestone
3 participants
@slfan1989 @Aggarwal-Raghav @asf-ci-hive