File tree Expand file tree Collapse file tree 1 file changed +4
-24
lines changed
druid/stackable/patches/30.0.0 Expand file tree Collapse file tree 1 file changed +4
-24
lines changed Original file line number Diff line number Diff line change @@ -2,21 +2,15 @@ Include Prometheus emitter in distribution
22
33From: Lars Francke <
[email protected] >
44
5- Update 2024-11-14: fix CVE-2023-34455
65
7- See: https://github.com/stackabletech/vulnerabilities/issues/558
8-
9- The Prometheus installation brings in a set of redundand dependendencies including the vulnerable
10- snappy-java library. Updated versions of this libary are already present in the classpath.
11- Therefore, we explicitely remove the affected jars as it it is recommended by the Druid authors here:
12-
13- https://github.com/apache/druid/blob/09d36ee324747f1407705c27618b6d415c3fa8a9/services/src/main/java/org/apache/druid/cli/PullDependencies.java#L90
6+ ---
7+ 0 files changed
148
159diff --git a/distribution/pom.xml b/distribution/pom.xml
16- index e27329e96d..ea79123ab3 100644
10+ index d7cd645767..eda1ddcfab 100644
1711--- a/distribution/pom.xml
1812+++ b/distribution/pom.xml
19- @@ -464,6 +464,66 @@
13+ @@ -464,6 +464,52 @@
2014 </plugins>
2115 </build>
2216 </profile>
@@ -61,20 +55,6 @@ index e27329e96d..ea79123ab3 100644
6155+ </arguments>
6256+ </configuration>
6357+ </execution>
64- + <execution>
65- + <id>fix-cve-2023-34455-remove-snappy</id>
66- + <phase>package</phase>
67- + <goals>
68- + <goal>exec</goal>
69- + </goals>
70- + <configuration>
71- + <executable>rm</executable>
72- + <arguments>
73- + <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-api/3.3.6/snappy-java-1.1.8.2.jar</argument>
74- + <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-runtime/3.3.6/snappy-java-1.1.8.2.jar</argument>
75- + </arguments>
76- + </configuration>
77- + </execution>
7858+ </executions>
7959+ </plugin>
8060+ </plugins>
You can’t perform that action at this time.
0 commit comments