Closed
Conversation
- Bump jackson 2.16.1 -> 2.21.1 - Bump zookeeper 3.8.4 -> 3.9.5 - Bump commons-lang3 3.17.0 -> 3.18.0 - Add aircompressor 2.0.3 override (was 2.0.2 transitive) - Add lz4-java 1.8.1 override (was 1.8.0 transitive) - Add commons-beanutils 1.9.4 override (was 1.9.2 transitive) - Add commons-vfs2 2.10.0 override (was 2.3 transitive) - Upgrade Docker base image from ubi9 to ubi10 (eclipse-temurin:21.0.10_7-jre-ubi10-minimal) - Remove druid-handler and kudu-handler from packaging (not needed for metastore-only deployments) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add dependency management entries for spring-beans, spring-context,
spring-expression, spring-web, and spring-webmvc to pin them to
${spring.version} (5.3.39). Previously only spring-core and spring-jdbc
were pinned, causing the others to resolve to 5.3.31 via Spring Boot
2.7.18 transitives.
Fixes CVE-2024-22243, CVE-2024-38809, CVE-2024-38808.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Down to 112 total vulns from original 208. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Update jetty.version in root pom.xml and standalone-metastore/pom.xml - Replace B64Code (removed in Jetty 10) with java.util.Base64 in PamAuthenticator - Change SslContextFactory to SslContextFactory.Server (required in Jetty 10) - Replace Connection.addListener() with connector.addBean() pattern - Update XmlConfiguration to use Resource.newResource() API - Update websocket artifact names for Jetty 10 compatibility - Remove jetty-continuation (removed in Jetty 10) Fixes CVE-2024-22201 (HIGH) and CVE-2023-36478 (HIGH). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Major changes to reduce Docker image CVEs from 112 to 10 (Spring-only): - Jetty 10.0.26 → 12.0.33 EE10 (rewrite Pam security classes for new API) - Guava 22.0 → 33.4.8-jre - commons-beanutils 1.9.4 → 1.11.0 - grpc 1.72.0 → 1.75.0, netty 4.1.127 → 4.1.129 - velocity 2.3 → 2.4.1, parquet 1.16.0 → 1.17.0 - lz4-java: switch to at.yawk.lz4 fork 1.10.4 - jackson (metastore) 2.16.1 → 2.21.1 - Add snakeyaml 2.3, json-smart 2.5.2 dep management - Switch parquet-hadoop-bundle → parquet-hadoop (non-bundle) - Exclude htrace-core 3.1.0, commons-lang 2.6, parquet-jackson - Exclude old Jetty 9 from spring-boot-starter-jetty Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…vlet Eliminates all remaining CVEs in the Hive Docker image (208→0): - Spring 5.3.39 → 6.2.17, Spring Boot 2.7.18 → 3.5.13 - Spring LDAP 2.4.4 → 3.2.14 - Thrift 0.16.0 → 0.22.0 (jakarta.servlet support) - pac4j 4.5.8 → 6.3.3 (pac4j-jakartaee for Jakarta EE) - javax.servlet → jakarta.servlet across all Java sources - BouncyCastle bcpkix/bcutil pinned to 1.82 via dep management - Adapt pac4j CallContext API, SAML2Credentials changes - Fix Jetty 12 EE10 API usage (ServletHolder, FilterHolder, etc.) - Fix removed HttpUtils.parseQueryString, Jersey 1.x compat - Update packaging license plugin for new dependency URLs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
Why are the changes needed?
Does this PR introduce any user-facing change?
How was this patch tested?