(druid) branch master updated: 2 new CVEs popped in the druid34 release process (#18227)

Mon, 14 Jul 2025 17:52:33 -0700 

This is an automated email from the ASF dual-hosted git repository.

gian pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git


The following commit(s) were added to refs/heads/master by this push:
     new 85e198f4b31 2 new CVEs popped in the druid34 release process (#18227)
85e198f4b31 is described below

commit 85e198f4b31088e1f75f91ea4be310c3269c5896
Author: Lucas Capistrant <[email protected]>
AuthorDate: Mon Jul 14 19:52:06 2025 -0500

    2 new CVEs popped in the druid34 release process (#18227)
    
    Proposing to supress both as the druid dependencies that they are coming 
from have no versions that fix them
---
 owasp-dependency-check-suppressions.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml 
b/owasp-dependency-check-suppressions.xml
index 02b99779df6..201a500543c 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -142,6 +142,7 @@
     <cve>CVE-2024-47561</cve> <!--  This seems to be a legitimate 
vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk 
v2 dependency work to finish -->
     <cve>CVE-2024-29131</cve> <!--  This seems to be a legitimate 
vulnerability. We would need to go to hadoop-client 3.4 which required aws sdk 
v2 dependency work to finish -->
     <cve>CVE-2024-22201</cve> <!--  This seems to be a legitimate 
vulnerability. We would need to go to a hadoop-client which was not yet 
released  -->
+    <cve>CVE-2025-52999</cve> <!--  This is vulneraability in all versions of 
hadoop-client-runtime and has not been fixed by hadoop yet -->
   </suppress>
 
   <!-- those are false positives, no other tools report any of those CVEs in 
the hadoop package -->
@@ -192,6 +193,7 @@
     <cve>CVE-2022-34917</cve>
     <cve>CVE-2023-25194</cve>
     <cve>CVE-2024-31141</cve>
+    <cve>CVE-2025-27818</cve> <!-- not fixed in any version of ranger 
dependency. I don't think it is exploitable in Druid within this extension -->
   </suppress>
 
   <suppress>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to