[Java][FlightSQL] Update Apache Avatica to version 1.24.0 #39288
Comments
kou
changed the title
|
Hi @danepitkin - thanks for picking up this issue so quickly. Your help with this is greatly appreciated. 🥇 We realize now that there is one other important CVE that's included in flight-sql-jdbc-driver and we also need this one resolved as well: This vulnerability is introduced by the reference to Avatica v 1.18.0. In Avatica version 1.22.0 and above, this issue is resolved. In https://mvnrepository.com/artifact/org.apache.calcite.avatica/avatica-core Is it possible to also upgrade the Avatica dependency in the flight-sql-jdbc-driver? Thank you for your help. |
|
Ah looks like Arrow is using v1.18: JDBC Core JDBC Driver Would you be willing to help contribute a fix for this? |
|
Hi @danepitkin - sure. If by "fix," we mean to change the pom files, run a few local tests, and submit a PR. Please let me know if there is more to this than I am considering. Thanks |
Update pom files, update several failing tests, because UsernamePasswordCredentials() has been removed from Avatica.
|
Yes, that's it! Thank you @rcprcp, I truly appreciate it. Can we update the title/description of this issue to match the PR? |
rcprcp
changed the title
|
@danepitkin thank you. Updated the issues's title. |
|
Hi @lidavidm , is there an approximate date when Arrow Flight V15 will be released? Or, if there is going to be a 14.3.0 version released sooner, can we get this issue backported? If we go with 14.3.0, is there an approximate date for that? thanks! |
|
Releases are roughly every 3 months. 14.3.0 is unlikely, 15.0.0 should be in January. |
…24.0 (apache#39325) Updated pom files, and updated several failing tests because UsernamePasswordCredentials() method has been removed from Avatica. * Closes: apache#39288 Authored-by: Bob Plotts <bob.plotts@dremio.com> Signed-off-by: David Li <li.davidm96@gmail.com>
…24.0 (apache#39325) Updated pom files, and updated several failing tests because UsernamePasswordCredentials() method has been removed from Avatica. * Closes: apache#39288 Authored-by: Bob Plotts <bob.plotts@dremio.com> Signed-off-by: David Li <li.davidm96@gmail.com>
Describe the bug, including details regarding any error messages, version, and platform.
The Flight SQL JDBC driver link on mvnrepository
https://mvnrepository.com/artifact/org.apache.arrow/flight-sql-jdbc-driver/14.0.1
Links to these two CVE's:
Vulnerabilities from dependencies:
CVE-2023-2976
CVE-2020-8908
These CVEs are blocking a customer's ability to use the driver in production, as the customer's Security Team objects to having these move to production.
Is it possible to upgrade the dependencies, test, and release a new version of the driver without these CVEs?
Component(s)
Java
The text was updated successfully, but these errors were encountered: