stackabletech
diff --git a/‎CHANGELOG.md‎
Lines changed: 11 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎druid/stackable/patches/26.0.0/08-CVE-2024-36114-bump-aircompressor-0-27.patch‎
Lines changed: 37 additions & 0 deletions b/‎druid/stackable/patches/26.0.0/08-CVE-2024-36114-bump-aircompressor-0-27.patch‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎druid/stackable/patches/26.0.0/series‎
Lines changed: 1 addition & 0 deletions b/‎druid/stackable/patches/26.0.0/series‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎druid/stackable/patches/28.0.1/01-remove-ranger-security.patch‎
Lines changed: 0 additions & 33 deletions b/‎druid/stackable/patches/28.0.1/01-remove-ranger-security.patch‎
Lines changed: 0 additions & 33 deletions
diff --git a/‎druid/stackable/patches/28.0.1/02-prometheus-emitter-from-source.patch‎
Lines changed: 0 additions & 65 deletions b/‎druid/stackable/patches/28.0.1/02-prometheus-emitter-from-source.patch‎
Lines changed: 0 additions & 65 deletions
diff --git a/‎druid/stackable/patches/28.0.1/03-stop-building-unused-extensions.patch‎
Lines changed: 0 additions & 52 deletions b/‎druid/stackable/patches/28.0.1/03-stop-building-unused-extensions.patch‎
Lines changed: 0 additions & 52 deletions
diff --git a/‎druid/stackable/patches/28.0.1/04-update-patch-dependencies.patch‎
Lines changed: 0 additions & 148 deletions b/‎druid/stackable/patches/28.0.1/04-update-patch-dependencies.patch‎
Lines changed: 0 additions & 148 deletions
@@ -39,6 +39,7 @@ All notable changes to this project will be documented in this file.
 - ubi-rust-builder: Bump Rust toolchain to 1.81.0 ([#902]).
 - ci: Handle release builds in the same build workflows ([#913]).
 - hadoop: Bump to `hdfs-utils` 0.4.0 ([#914]).
+- superset: Fix `CVE-2024-1135` by upgrading `gunicorn` from 21.2.0 to 22.0.0 ([#919]).
 - jmx_exporter: Updated to a custom-built version of 1.0.1 to fix performance regressions ([#920]).
 
 ### Removed
@@ -62,8 +63,13 @@ All notable changes to this project will be documented in this file.
 ### Fixed
 
 - hbase: link to phoenix server jar ([#811]).
+- spark: Fix CVE-2024-36114 in Spark 3.5.1 by upgrading a dependency.
+  Spark 3.5.2 is not affected. ([#921])
 - trino: Correctly report Trino version ([#881]).
+- hive: Fix CVE-2024-36114 in Hive `3.1.3` and `4.0.0` by upgrading a dependency. ([#922]).
 - nifi: Fix CVE-2024-36114 in NiFi `1.27.0` and `2.0.0` by upgrading a dependency. ([#924]).
+- hbase: Fix CVE-2024-36114 in HBase `2.6.0` by upgrading a dependency. ([#925]).
+- druid: Fix CVE-2024-36114 in Druid `26.0.0` and `30.0.0` by upgrading a dependency ([#926]).
 
 [#783]: https://github.com/stackabletech/docker-images/pull/783
 [#797]: https://github.com/stackabletech/docker-images/pull/797
@@ -106,8 +112,13 @@ All notable changes to this project will be documented in this file.
 [#913]: https://github.com/stackabletech/docker-images/pull/913
 [#914]: https://github.com/stackabletech/docker-images/pull/914
 [#917]: https://github.com/stackabletech/docker-images/pull/917
+[#919]: https://github.com/stackabletech/docker-images/pull/919
 [#920]: https://github.com/stackabletech/docker-images/pull/920
+[#921]: https://github.com/stackabletech/docker-images/pull/921
+[#922]: https://github.com/stackabletech/docker-images/pull/922
 [#924]: https://github.com/stackabletech/docker-images/pull/924
+[#925]: https://github.com/stackabletech/docker-images/pull/925
+[#926]: https://github.com/stackabletech/docker-images/pull/926
 
 ## [24.7.0] - 2024-07-24
 
 
@@ -0,0 +1,37 @@
+Fix CVE-2024-36114
+see https://github.com/stackabletech/vulnerabilities/issues/834
+
+Aircompressor is a library with ports of the Snappy, LZO, LZ4, and
+Zstandard compression algorithms to Java. All decompressor
+implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash
+the JVM for certain input, and in some cases also leak the content of
+other memory of the Java process (which could contain sensitive
+information). When decompressing certain data, the decompressors try to
+access memory outside the bounds of the given byte arrays or byte
+buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to
+speed up memory access, no additional bounds checks are performed and
+this has similar security consequences as out-of-bounds access in C or
+C++, namely it can lead to non-deterministic behavior or crash the JVM.
+Users should update to Aircompressor 0.27 or newer where these issues
+have been fixed. When decompressing data from untrusted users, this can
+be exploited for a denial-of-service attack by crashing the JVM, or to
+leak other sensitive information from the Java process. There are no
+known workarounds for this issue.
+
+diff --git a/pom.xml b/pom.xml
+index c0f06547f8..f1c6e2f9ee 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -258,6 +258,12 @@
+ 
+     <dependencyManagement>
+         <dependencies>
++            <!-- Mitigate CVE-2024-36114: See https://github.com/stackabletech/vulnerabilities/issues/834 -->
++            <dependency>
++                <groupId>io.airlift</groupId>
++                <artifactId>aircompressor</artifactId>
++                <version>0.27</version>
++            </dependency>
+             <!-- Compile Scope -->
+             <dependency>
+                 <groupId>commons-codec</groupId>
@@ -6,3 +6,4 @@
 05-xmllayout-dependencies.patch
 06-dont-build-targz.patch
 07-cyclonedx-plugin.patch
+08-CVE-2024-36114-bump-aircompressor-0-27.patch