This is an automated email from the ASF dual-hosted git repository.
chengpan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new 9b93e874a [KYUUBI #5293] upgrade snakeyaml from 1.33 to 2.2
9b93e874a is described below
commit 9b93e874a0470641ae4e83fea3942c75bd065aac
Author: pengqli <[email protected]>
AuthorDate: Fri Sep 15 11:32:09 2023 +0000
[KYUUBI #5293] upgrade snakeyaml from 1.33 to 2.2
### _Why are the changes needed?_
upgrade snakeyaml from 1.33 to 2.2 reducing direct CVE vulnerabilities,
see (https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes)
[CVE-2022-1471](https://nvd.nist.gov/vuln/detail/CVE-2022-1471)
SnakeYaml's Constructor() class does not restrict types which can be
instantiated during deserialization. Deserializing yaml content provided by an
attacker can lead to remote code execution. We recommend using SnakeYaml's
SafeConsturctor when parsing untrusted content to restrict deserialization. We
recommend upgrading to version 2.0 and beyond.
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including
negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [x] [Run
test](https://kyuubi.readthedocs.io/en/master/contributing/code/testing.html#running-tests)
locally before make a pull request
### _Was this patch authored or co-authored using generative AI tooling?_
No
Closes #5293 from dev-lpq/snakeyaml_critical.
Closes #5293
5b2412d8e [pengqli] upgrade snakeyaml from 1.33 to 2.2
Authored-by: pengqli <[email protected]>
Signed-off-by: Cheng Pan <[email protected]>
---
dev/dependencyList | 2 +-
pom.xml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/dev/dependencyList b/dev/dependencyList
index f59095b66..0675f56f0 100644
--- a/dev/dependencyList
+++ b/dev/dependencyList
@@ -183,7 +183,7 @@
simpleclient_tracer_otel/0.16.0//simpleclient_tracer_otel-0.16.0.jar
simpleclient_tracer_otel_agent/0.16.0//simpleclient_tracer_otel_agent-0.16.0.jar
slf4j-api/1.7.36//slf4j-api-1.7.36.jar
snakeyaml-engine/2.6//snakeyaml-engine-2.6.jar
-snakeyaml/1.33//snakeyaml-1.33.jar
+snakeyaml/2.2//snakeyaml-2.2.jar
snappy-java/1.1.8.4//snappy-java-1.1.8.4.jar
sqlite-jdbc/3.42.0.0//sqlite-jdbc-3.42.0.0.jar
swagger-annotations/2.2.1//swagger-annotations-2.2.1.jar
diff --git a/pom.xml b/pom.xml
index 5d812f63a..faff83917 100644
--- a/pom.xml
+++ b/pom.xml
@@ -191,7 +191,7 @@
<scalatestplus.version>3.2.16.0</scalatestplus.version>
<scopt.version>4.1.0</scopt.version>
<slf4j.version>1.7.36</slf4j.version>
- <snakeyaml.version>1.33</snakeyaml.version>
+ <snakeyaml.version>2.2</snakeyaml.version>
<!--
DO NOT forget to change the following properties when change the
minor version of Spark:
`delta.version`, `maven.plugin.scalatest.exclude.tags`
