[jira] [Commented] (IMPALA-12063) Upgrade to a version of zlib with fix for CVE-2022-37434

Thu, 20 Apr 2023 09:09:12 -0700 


    [ 
https://issues.apache.org/jira/browse/IMPALA-12063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17714662#comment-17714662
 ] 

Joe McDonnell commented on IMPALA-12063:
----------------------------------------

Toolchain change: 
[https://github.com/cloudera/native-toolchain/commit/2db32c492809cdf0e10da1ec137ec79031eed366]
{noformat}
commit 2db32c492809cdf0e10da1ec137ec79031eed366
Author: Joe McDonnell <[email protected]>
Date:   Thu Nov 3 18:00:57 2022 -0700    IMPALA-11603, IMPALA-12063: Address 
CVE in zlib by upgrading to 1.2.13
    
    Zlib fixed CVE-2022-37434, an issue in inflateGetHeader() in 1.2.13.
    This bumps the version of zlib to 1.2.13 to pick up this fix.
    
    This also adds a build of Cloudflare zlib. Cloudflare zlib is a
    drop-in replacement for the standard zlib library that has been
    optimized to take advantage of SIMD and other processor support
    on x86_64 and ARM. This adds a build of the latest Cloudflare zlib
    as a new component. This version of Cloudflare zlib also contains
    the fix for CVE-2022-37434.
    
    Testing:
     - Ran a native-toolchain build
    
    Change-Id: I14137848ebbe82f42df6a97fd24f5cdba4f65d21
    Reviewed-on: http://gerrit.cloudera.org:8080/19748
    Reviewed-by: Michael Smith <[email protected]>
    Reviewed-by: Wenzhe Zhou <[email protected]>
    Tested-by: Joe McDonnell <[email protected]>
{noformat}

> Upgrade to a version of zlib with fix for CVE-2022-37434
> --------------------------------------------------------
>
>                 Key: IMPALA-12063
>                 URL: https://issues.apache.org/jira/browse/IMPALA-12063
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Backend
>    Affects Versions: Impala 4.3.0
>            Reporter: Joe McDonnell
>            Assignee: Joe McDonnell
>            Priority: Major
>
> Zlib fixed [CVE-2022-37434|https://nvd.nist.gov/vuln/detail/CVE-2022-37434] 
> in version 1.2.13. This impacts inflateGetHeader(), which we do not use, so 
> this is not expected to have any impact on Impala. Moving to the new zlib 
> 1.2.13 avoids any uncertainty about this.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to