Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 #21341

Merged
merged 5 commits into from
Oct 17, 2023
Merged

[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 #21341

merged 5 commits into from
Oct 17, 2023

Conversation

tisonkun
Copy link
Member

Motivation

Fix CVE-2023-39410

Modifications

Upgrade avro version to 1.11.3

Verifying this change

  • Make sure that the change passes the CI checks.

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository:

@tisonkun
[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410
cb03444 
Signed-off-by: tison <wander4096@gmail.com>
@tisonkun tisonkun self-assigned this Oct 11, 2023
@tisonkun tisonkun mentioned this pull request Oct 11, 2023
Merged
4 tasks
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Oct 11, 2023
@lhotari
Copy link
Member

lhotari commented Oct 11, 2023

@tisonkun would you mind getting CI to pass in your fork? Besides updating the the licenses, it's possible that slight changes are needed while upgrading. #9898 is the PR for Avro 1.9.x -> 1.10.x upgrade.

@tisonkun
update licenses
d99053d 
Signed-off-by: tison <wander4096@gmail.com>
@tisonkun
update licenses
3255454 
Signed-off-by: tison <wander4096@gmail.com>
@tisonkun
Copy link
Member Author

tisonkun commented Oct 12, 2023
edited
Loading

Run 2: ProtobufSchemaTest.testSchema:94 expected [{"type":"record","name":"TestMessage","namespace":"org.apache.pulsar.client.schema.proto.Test","fields":[{"name":"stringField","type":{"type":"string","avro.java.string":"String"},"default":""},{"name":"doubleField","type":"double","default":0},{"name":"intField","type":"int","default":0},{"name":"testEnum","type":{"type":"enum","name":"TestEnum","symbols":["SHARED","FAILOVER"]},"default":"SHARED"},{"name":"nestedField","type":["null",{"type":"record","name":"SubMessage","fields":[{"name":"foo","type":{"type":"string","avro.java.string":"String"},"default":""},{"name":"bar","type":"double","default":0}]}],"default":null},{"name":"repeatedField","type":{"type":"array","items":{"type":"string","avro.java.string":"String"}},"default":[]},{"name":"externalMessage","type":["null",{"type":"record","name":"ExternalMessage","namespace":"org.apache.pulsar.client.schema.proto.ExternalTest","fields":[{"name":"stringField","type":{"type":"string","avro.java.string":"String"},"default":""},{"name":"doubleField","type":"double","default":0}]}],"default":null}]}] but found [{"type":"record","name":"TestMessage","namespace":"org.apache.pulsar.client.schema.proto.Test","fields":[{"name":"stringField","type":{"type":"string","avro.java.string":"String"},"default":""},{"name":"doubleField","type":"double","default":0.0},{"name":"intField","type":"int","default":0},{"name":"testEnum","type":{"type":"enum","name":"TestEnum","symbols":["SHARED","FAILOVER"]},"default":"SHARED"},{"name":"nestedField","type":["null",{"type":"record","name":"SubMessage","fields":[{"name":"foo","type":{"type":"string","avro.java.string":"String"},"default":""},{"name":"bar","type":"double","default":0.0}]}],"default":null},{"name":"repeatedField","type":{"type":"array","items":{"type":"string","avro.java.string":"String"}},"default":[]},{"name":"externalMessage","type":["null",{"type":"record","name":"ExternalMessage","namespace":"org.apache.pulsar.client.schema.proto.ExternalTest","fields":[{"name":"stringField","type":{"type":"string","avro.java.string":"String"},"default":""},{"name":"doubleField","type":"double","default":0.0}]}],"default":null}]}]

Interesting. The upgrade seems not transparent.

@tisonkun
Copy link
Member Author

It's about the different display of double type "name":"bar","type":"double","default":0.0.

@tisonkun
fix test
9eb470d 
Signed-off-by: tison <wander4096@gmail.com>
@tisonkun
use provided avro
407769a 
Signed-off-by: tison <wander4096@gmail.com>
@tisonkun tisonkun merged commit f5222d6 into apache:master Oct 17, 2023
43 of 45 checks passed
@tisonkun tisonkun deleted the sec-avro-1-11-3 branch October 17, 2023 01:38
poorbarcode pushed a commit that referenced this pull request Oct 24, 2023
@tisonkun @poorbarcode
[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 (#21341)
beed0a3 
Signed-off-by: tison <wander4096@gmail.com>
(cherry picked from commit f5222d6)
merlimat pushed a commit that referenced this pull request Dec 9, 2023
@tisonkun @merlimat
[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 (#21341)
23bf51a 
Signed-off-by: tison <wander4096@gmail.com>
liangyepianzhou pushed a commit to streamnative/pulsar-archived that referenced this pull request Dec 12, 2023
@tisonkun @liangyepianzhou
[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 (apache#21341)
e868392 
Signed-off-by: tison <wander4096@gmail.com>
(cherry picked from commit f5222d6)
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 12, 2023
@tisonkun @nikhil-ctds
[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 (apache#21341)
48e4a80 
Signed-off-by: tison <wander4096@gmail.com>
(cherry picked from commit 23bf51a)
@nikhil-ctds nikhil-ctds mentioned this pull request Dec 12, 2023
Closed
4 tasks
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 14, 2023
@tisonkun @srinath-ctds
[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 (apache#21341)
f25ae0a 
Signed-off-by: tison <wander4096@gmail.com>
(cherry picked from commit 23bf51a)
liangyepianzhou pushed a commit that referenced this pull request Dec 14, 2023
@tisonkun @liangyepianzhou
[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 (#21341)
5f28257 
Signed-off-by: tison <wander4096@gmail.com>
(cherry picked from commit f5222d6)
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 20, 2023
@tisonkun @nikhil-ctds
[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 (apache#21341)
5ad09f7 
Signed-off-by: tison <wander4096@gmail.com>
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 20, 2023
@tisonkun @srinath-ctds
[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 (apache#21341)
50eb091 
Signed-off-by: tison <wander4096@gmail.com>
liangyepianzhou pushed a commit that referenced this pull request Jan 11, 2024
@tisonkun @liangyepianzhou
[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 (#21341)
1facaba 
Signed-off-by: tison <wander4096@gmail.com>
(cherry picked from commit f5222d6)
(cherry picked from commit 5f28257)
liangyepianzhou added a commit to liangyepianzhou/pulsar that referenced this pull request Feb 18, 2024
@liangyepianzhou
Revert "[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 (ap…
812b5be 
…ache#21341)"

This reverts commit 5f28257.
nodece pushed a commit to nodece/pulsar that referenced this pull request Feb 23, 2024
@tisonkun @nodece
[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 (apache#21341)
9b76c63 
Signed-off-by: tison <wander4096@gmail.com>
(cherry picked from commit f5222d6)
lhotari pushed a commit that referenced this pull request Oct 4, 2024
@tisonkun @lhotari
[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 (#21341)
a6b5ac4 
Signed-off-by: tison <wander4096@gmail.com>
(cherry picked from commit f5222d6)
(cherry picked from commit 5f28257)
@lhotari lhotari added the cherry-picked/branch-2.9 Archived: 2.9 is end of life label Oct 4, 2024
lhotari pushed a commit that referenced this pull request Oct 8, 2024
@tisonkun @lhotari
[fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410 (#21341)
007d8cb 
Signed-off-by: tison <wander4096@gmail.com>
(cherry picked from commit f5222d6)
(cherry picked from commit 5f28257)
(cherry picked from commit a6b5ac4)
@lhotari lhotari added the cherry-picked/branch-2.8 Archived: 2.8 is end of life label Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gaoran10 gaoran10 gaoran10 approved these changes

@lhotari lhotari Awaiting requested review from lhotari

@Technoboy- Technoboy- Awaiting requested review from Technoboy-

@eolivelli eolivelli Awaiting requested review from eolivelli

@BewareMyPower BewareMyPower Awaiting requested review from BewareMyPower

Assignees

@tisonkun tisonkun

Labels
area/security cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 cherry-picked/branch-3.0 doc-not-needed Your PR changes do not impact docs ready-to-test release/2.10.6 release/3.0.2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tisonkun @lhotari @gaoran10 @poorbarcode @liangyepianzhou