File tree Expand file tree Collapse file tree 1 file changed +37
-0
lines changed
druid/stackable/patches/30.0.0 Expand file tree Collapse file tree 1 file changed +37
-0
lines changed Original file line number Diff line number Diff line change 1+ Fix CVE-2023-34455
2+ see https://github.com/stackabletech/vulnerabilities/issues/558
3+
4+ At the end of build process, Druid downloads dependencies directly from a remote
5+ Maven repository ignoring existing patches that have been applyed locally.
6+ These dependencies include all transitive dependencies too.
7+ The hadoop client depends on a vulnerable version of the snappy library which
8+ is then also downloaded even though a newer version is already on the system.
9+
10+ This patch removes the vulnerable jars.
11+
12+ diff --git a/distribution/pom.xml b/distribution/pom.xml
13+ index d5918710ef..bba99d078c 100644
14+ --- a/distribution/pom.xml
15+ +++ b/distribution/pom.xml
16+ @@ -594,6 +594,21 @@
17+ </arguments>
18+ </configuration>
19+ </execution>
20+ + </execution>
21+ + + <execution>
22+ + + <id>fix-cve-2023-34455-remove-snappy</id>
23+ + + <phase>package</phase>
24+ + + <goals>
25+ + + <goal>exec</goal>
26+ + + </goals>
27+ + + <configuration>
28+ + + <executable>rm</executable>
29+ + + <arguments>
30+ + + <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-api/3.3.6/snappy-java-1.1.8.2.jar</argument>
31+ + + <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-runtime/3.3.6/snappy-java-1.1.8.2.jar</argument>
32+ + + </arguments>
33+ + + </configuration>
34+ + + </execution>
35+ </executions>
36+ </plugin>
37+ <plugin>
You can’t perform that action at this time.
0 commit comments