(impala) 01/02: IMPALA-13301: Upgrade aircompressor to 0.27

Fri, 16 Aug 2024 01:56:31 -0700 

This is an automated email from the ASF dual-hosted git repository.

csringhofer pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git

commit 65927f4ba3cf22c9b88bf9647f04f1da77a75675
Author: Michael Smith <[email protected]>
AuthorDate: Thu Aug 15 09:04:48 2024 -0700

    IMPALA-13301: Upgrade aircompressor to 0.27
    
    Upgrades io.airlift.aircompressor to 0.27 to address CVE-2024-36114.
    Aircompressor is a dependency of Orc, however we tend to upgrade Orc
    more deliberately and synchronize C++ and Java upgrades. Aircompressor
    upgrades in Orc did not require any code changes, so manage this
    dependency directly to address the CVE.
    
    Change-Id: I6c56daa61d5ecbcb3a5f7fbd0665043bb49b469f
    Reviewed-on: http://gerrit.cloudera.org:8080/21677
    Reviewed-by: Impala Public Jenkins <[email protected]>
    Tested-by: Impala Public Jenkins <[email protected]>
---
 bin/impala-config.sh | 1 +
 java/pom.xml         | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/bin/impala-config.sh b/bin/impala-config.sh
index 68ae68c6d..84f9d58db 100755
--- a/bin/impala-config.sh
+++ b/bin/impala-config.sh
@@ -298,6 +298,7 @@ export IMPALA_XMLSEC_VERSION=2.2.6
 export IMPALA_OBS_VERSION=3.1.1-hw-42
 export IMPALA_DBCP2_VERSION=2.9.0
 export IMPALA_DROPWIZARD_METRICS_VERSION=4.2.26
+export IMPALA_AIRCOMPRESSOR_VERSION=0.27
 
 # When Impala is building docker images on Redhat-based distributions,
 # it is useful to be able to customize the base image. Some users will
diff --git a/java/pom.xml b/java/pom.xml
index 60966bf75..d923deafa 100644
--- a/java/pom.xml
+++ b/java/pom.xml
@@ -82,6 +82,7 @@ under the License.
     <commons-dbcp2.version>${env.IMPALA_DBCP2_VERSION}</commons-dbcp2.version>
     <log4j2.version>${env.IMPALA_LOG4J2_VERSION}</log4j2.version>
     
<dropwizard-metrics.version>${env.IMPALA_DROPWIZARD_METRICS_VERSION}</dropwizard-metrics.version>
+    
<aircompressor.version>${env.IMPALA_AIRCOMPRESSOR_VERSION}</aircompressor.version>
   </properties>
 
   <repositories>
@@ -407,6 +408,14 @@ under the License.
         <artifactId>metrics-json</artifactId>
         <version>${dropwizard-metrics.version}</version>
       </dependency>
+
+      <!-- Pin aircompressor version. Orc depends on this, but Orc upgrade 
will be
+          planned separately. Remove once Orc is upgraded to 1.9.4+. -->
+      <dependency>
+        <groupId>io.airlift</groupId>
+        <artifactId>aircompressor</artifactId>
+        <version>${aircompressor.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>

Reply via email to