From c46a676d2e7bf0d638ead21fd55fedc13142c11d Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 11 Nov 2024 09:36:55 +0100 Subject: [PATCH 1/5] fix (druid): CVE-2024-36114 --- CHANGELOG.md | 2 + ...E-2024-36114-bump-aircompressor-0-27.patch | 37 +++++ druid/stackable/patches/26.0.0/series | 1 + .../28.0.1/01-remove-ranger-security.patch | 33 ---- .../02-prometheus-emitter-from-source.patch | 65 -------- .../03-stop-building-unused-extensions.patch | 52 ------ .../28.0.1/04-update-patch-dependencies.patch | 148 ------------------ .../28.0.1/05-xmllayout-dependencies.patch | 27 ---- .../patches/28.0.1/06-dont-build-targz.patch | 23 --- .../patches/28.0.1/07-cyclonedx-plugin.patch | 17 -- druid/stackable/patches/28.0.1/series | 8 - ...E-2024-36114-bump-aircompressor-0-27.patch | 37 +++++ druid/stackable/patches/30.0.0/series | 1 + 13 files changed, 78 insertions(+), 373 deletions(-) create mode 100644 druid/stackable/patches/26.0.0/08-CVE-2024-36114-bump-aircompressor-0-27.patch delete mode 100644 druid/stackable/patches/28.0.1/01-remove-ranger-security.patch delete mode 100644 druid/stackable/patches/28.0.1/02-prometheus-emitter-from-source.patch delete mode 100644 druid/stackable/patches/28.0.1/03-stop-building-unused-extensions.patch delete mode 100644 druid/stackable/patches/28.0.1/04-update-patch-dependencies.patch delete mode 100644 druid/stackable/patches/28.0.1/05-xmllayout-dependencies.patch delete mode 100644 druid/stackable/patches/28.0.1/06-dont-build-targz.patch delete mode 100644 druid/stackable/patches/28.0.1/07-cyclonedx-plugin.patch delete mode 100644 druid/stackable/patches/28.0.1/series create mode 100644 druid/stackable/patches/30.0.0/08-CVE-2024-36114-bump-aircompressor-0-27.patch diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c8ed5a83..2094984a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -63,6 +63,7 @@ All notable changes to this project will be documented in this file. - hbase: link to phoenix server jar ([#811]). - trino: Correctly report Trino version ([#881]). +- druid: Fix CVE-2024-36114 in Hive `1.27.0` and `2.0.0` by upgrading a dependency. ([#xxx]). [#783]: https://github.com/stackabletech/docker-images/pull/783 [#797]: https://github.com/stackabletech/docker-images/pull/797 @@ -106,6 +107,7 @@ All notable changes to this project will be documented in this file. [#914]: https://github.com/stackabletech/docker-images/pull/914 [#917]: https://github.com/stackabletech/docker-images/pull/917 [#920]: https://github.com/stackabletech/docker-images/pull/920 +[#xxx]: https://github.com/stackabletech/docker-images/pull/xxx ## [24.7.0] - 2024-07-24 diff --git a/druid/stackable/patches/26.0.0/08-CVE-2024-36114-bump-aircompressor-0-27.patch b/druid/stackable/patches/26.0.0/08-CVE-2024-36114-bump-aircompressor-0-27.patch new file mode 100644 index 000000000..b5fb91b5f --- /dev/null +++ b/druid/stackable/patches/26.0.0/08-CVE-2024-36114-bump-aircompressor-0-27.patch @@ -0,0 +1,37 @@ +Fix CVE-2024-36114 +see https://github.com/stackabletech/vulnerabilities/issues/834 + +Aircompressor is a library with ports of the Snappy, LZO, LZ4, and +Zstandard compression algorithms to Java. All decompressor +implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash +the JVM for certain input, and in some cases also leak the content of +other memory of the Java process (which could contain sensitive +information). When decompressing certain data, the decompressors try to +access memory outside the bounds of the given byte arrays or byte +buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to +speed up memory access, no additional bounds checks are performed and +this has similar security consequences as out-of-bounds access in C or +C++, namely it can lead to non-deterministic behavior or crash the JVM. +Users should update to Aircompressor 0.27 or newer where these issues +have been fixed. When decompressing data from untrusted users, this can +be exploited for a denial-of-service attack by crashing the JVM, or to +leak other sensitive information from the Java process. There are no +known workarounds for this issue. + +diff --git a/pom.xml b/pom.xml +index c0f06547f8..f1c6e2f9ee 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -258,6 +258,12 @@ + + + ++ ++ ++ io.airlift ++ aircompressor ++ 0.27 ++ + + + commons-codec diff --git a/druid/stackable/patches/26.0.0/series b/druid/stackable/patches/26.0.0/series index c4ca7f2f1..cc7008e05 100644 --- a/druid/stackable/patches/26.0.0/series +++ b/druid/stackable/patches/26.0.0/series @@ -6,3 +6,4 @@ 05-xmllayout-dependencies.patch 06-dont-build-targz.patch 07-cyclonedx-plugin.patch +08-CVE-2024-36114-bump-aircompressor-0-27.patch diff --git a/druid/stackable/patches/28.0.1/01-remove-ranger-security.patch b/druid/stackable/patches/28.0.1/01-remove-ranger-security.patch deleted file mode 100644 index dfb8084d2..000000000 --- a/druid/stackable/patches/28.0.1/01-remove-ranger-security.patch +++ /dev/null @@ -1,33 +0,0 @@ -Removes all traces of the druid ranger extension - -From: Lars Francke - - ---- - 0 files changed - -diff --git a/distribution/pom.xml b/distribution/pom.xml -index ecc00a9155..67ebecc482 100644 ---- a/distribution/pom.xml -+++ b/distribution/pom.xml -@@ -252,8 +252,6 @@ - -c - org.apache.druid.extensions:druid-pac4j - -c -- org.apache.druid.extensions:druid-ranger-security -- -c - org.apache.druid.extensions:druid-kubernetes-extensions - -c - org.apache.druid.extensions:druid-catalog -diff --git a/pom.xml b/pom.xml -index 9d22ef4375..2468145dd0 100644 ---- a/pom.xml -+++ b/pom.xml -@@ -195,7 +195,6 @@ - extensions-core/simple-client-sslcontext - extensions-core/druid-basic-security - extensions-core/google-extensions -- extensions-core/druid-ranger-security - extensions-core/druid-catalog - extensions-core/testing-tools - diff --git a/druid/stackable/patches/28.0.1/02-prometheus-emitter-from-source.patch b/druid/stackable/patches/28.0.1/02-prometheus-emitter-from-source.patch deleted file mode 100644 index fe1a0104c..000000000 --- a/druid/stackable/patches/28.0.1/02-prometheus-emitter-from-source.patch +++ /dev/null @@ -1,65 +0,0 @@ -Include Prometheus emitter in distribution - -From: Lars Francke - - ---- - 0 files changed - -diff --git a/distribution/pom.xml b/distribution/pom.xml -index 67ebecc482..7ac840c2b4 100644 ---- a/distribution/pom.xml -+++ b/distribution/pom.xml -@@ -456,6 +456,52 @@ - - - -+ -+ stackable-bundle-contrib-exts -+ -+ true -+ -+ -+ -+ -+ org.codehaus.mojo -+ exec-maven-plugin -+ -+ -+ pull-deps-contrib-exts -+ package -+ -+ exec -+ -+ -+ ${project.parent.basedir}/examples/bin/run-java -+ -+ -classpath -+ -+ -Ddruid.extensions.loadList=[] -+ -Ddruid.extensions.directory=${project.build.directory}/extensions -+ -+ -+ -Ddruid.extensions.hadoopDependenciesDir=${project.build.directory}/hadoop-dependencies -+ -+ org.apache.druid.cli.Main -+ tools -+ pull-deps -+ --defaultVersion -+ ${project.parent.version} -+ -l -+ ${settings.localRepository} -+ --no-default-hadoop -+ -c -+ org.apache.druid.extensions.contrib:prometheus-emitter -+ -+ -+ -+ -+ -+ -+ -+ - - integration-test - diff --git a/druid/stackable/patches/28.0.1/03-stop-building-unused-extensions.patch b/druid/stackable/patches/28.0.1/03-stop-building-unused-extensions.patch deleted file mode 100644 index 2601fcae0..000000000 --- a/druid/stackable/patches/28.0.1/03-stop-building-unused-extensions.patch +++ /dev/null @@ -1,52 +0,0 @@ -Stop building unused extensions. - -From: Lars Francke - -By default Druid builds all community extensions and then discards them -while assembling the final distribution. This patch removes unused -extensions from the build. ---- - 0 files changed - -diff --git a/pom.xml b/pom.xml -index 2468145dd0..72db785eea 100644 ---- a/pom.xml -+++ b/pom.xml -@@ -197,35 +197,10 @@ - extensions-core/google-extensions - extensions-core/druid-catalog - extensions-core/testing-tools -+ - -- extensions-contrib/compressed-bigdecimal -- extensions-contrib/influx-extensions -- extensions-contrib/cassandra-storage -- extensions-contrib/dropwizard-emitter -- extensions-contrib/cloudfiles-extensions -- extensions-contrib/graphite-emitter -- extensions-contrib/distinctcount -- extensions-contrib/statsd-emitter -- extensions-contrib/time-min-max -- extensions-contrib/virtual-columns -- extensions-contrib/thrift-extensions -- extensions-contrib/ambari-metrics-emitter -- extensions-contrib/sqlserver-metadata-storage -- extensions-contrib/kafka-emitter -- extensions-contrib/redis-cache -- extensions-contrib/opentsdb-emitter -- extensions-contrib/materialized-view-maintenance -- extensions-contrib/materialized-view-selection -- extensions-contrib/momentsketch -- extensions-contrib/moving-average-query -- extensions-contrib/tdigestsketch -- extensions-contrib/influxdb-emitter -- extensions-contrib/gce-extensions -- extensions-contrib/aliyun-oss-extensions - extensions-contrib/prometheus-emitter -- extensions-contrib/opentelemetry-emitter -- extensions-contrib/kubernetes-overlord-extensions -- extensions-contrib/druid-iceberg-extensions -+ - - distribution - diff --git a/druid/stackable/patches/28.0.1/04-update-patch-dependencies.patch b/druid/stackable/patches/28.0.1/04-update-patch-dependencies.patch deleted file mode 100644 index 05496632a..000000000 --- a/druid/stackable/patches/28.0.1/04-update-patch-dependencies.patch +++ /dev/null @@ -1,148 +0,0 @@ -Updates all dependencies that have a new patch release available. - -From: Lars Francke - - ---- - 0 files changed - -diff --git a/extensions-core/avro-extensions/pom.xml b/extensions-core/avro-extensions/pom.xml -index eeb40f0f47..67a5eb80c0 100644 ---- a/extensions-core/avro-extensions/pom.xml -+++ b/extensions-core/avro-extensions/pom.xml -@@ -35,7 +35,7 @@ - - - 0.1.3 -- 5.5.12 -+ 5.5.15 - - - -diff --git a/extensions-core/orc-extensions/pom.xml b/extensions-core/orc-extensions/pom.xml -index b92a0123e5..6a7555062b 100644 ---- a/extensions-core/orc-extensions/pom.xml -+++ b/extensions-core/orc-extensions/pom.xml -@@ -31,7 +31,7 @@ - - 4.0.0 - -- 1.7.6 -+ 1.7.10 - - - -diff --git a/extensions-core/parquet-extensions/pom.xml b/extensions-core/parquet-extensions/pom.xml -index 73bddc32de..fd9f1297d8 100644 ---- a/extensions-core/parquet-extensions/pom.xml -+++ b/extensions-core/parquet-extensions/pom.xml -@@ -201,7 +201,7 @@ - - - -- 1.13.0 -+ 1.13.1 - - - -diff --git a/extensions-core/protobuf-extensions/pom.xml b/extensions-core/protobuf-extensions/pom.xml -index cc39430b96..9a2725c8f3 100644 ---- a/extensions-core/protobuf-extensions/pom.xml -+++ b/extensions-core/protobuf-extensions/pom.xml -@@ -35,7 +35,7 @@ - - - -- 6.0.1 -+ 6.0.15 - 2.11.0 - - -diff --git a/pom.xml b/pom.xml -index 72db785eea..84dd92eb06 100644 ---- a/pom.xml -+++ b/pom.xml -@@ -74,38 +74,38 @@ - 1.8 - 8 - UTF-8 -- 0.9.0.M2 -+ 0.9.1.v20140329 - 5.5.0 - 3.5.1 - 2.0.0 - 2.2.4 - 2.13.11 - 1.23.0 -- 1.11.1 -+ 1.11.3 - - 1.35.0 - 4.2.0 -- 2.2.0 -+ 2.2.1 - 10.14.2.0 -- 4.2.19 -+ 4.2.26 - 2.20.0 - 8.5.4 - 31.1-jre - 4.1.0 - 1.3 -- 9.4.53.v20231009 -+ 9.4.54.v20240208 - 1.19.4 -- 2.12.7 -+ 2.12.7.20240502 - 1.9.13 - 2.18.0 - 5.1.49 - 2.7.3 - 3.10.6.Final -- 4.1.100.Final -- 42.6.0 -- 3.24.0 -+ 4.1.111.Final -+ 42.6.2 -+ 3.24.4 - 1.3.1 - 1.7.36 - 5.13.0 -@@ -116,17 +116,17 @@ - however it is required in some cases when running against mockito 4.x (mockito 4.x is required for Java <11. - We use the following property to pick the proper artifact based on Java version (see pre-java-11 profile) --> - core -- 1.12.497 -- 2.8.0 -- 0.8.7 -+ 1.12.754 -+ 2.8.8 -+ 0.8.12 - 6.2.5.Final -- 4.5.13 -+ 4.5.14 - - 3.5.10 - 2.5.7 - 2.2.0 - 1.42.3 -- v1-rev20230606-2.0.0 -+ v1-rev20240618-2.0.0 - v1-rev20230301-2.0.0 - - -diff --git a/processing/pom.xml b/processing/pom.xml -index 3401a248f5..609aac274c 100644 ---- a/processing/pom.xml -+++ b/processing/pom.xml -@@ -37,7 +37,7 @@ - 1.6.5 - ${sigar.base.version}.132 - 5.3.4 -- 6.4.4 -+ 6.4.13 - - - diff --git a/druid/stackable/patches/28.0.1/05-xmllayout-dependencies.patch b/druid/stackable/patches/28.0.1/05-xmllayout-dependencies.patch deleted file mode 100644 index ad64ee36f..000000000 --- a/druid/stackable/patches/28.0.1/05-xmllayout-dependencies.patch +++ /dev/null @@ -1,27 +0,0 @@ -Include jackson-dataformat-xml dependency. - -From: Lars Francke - -This allows us to use XmlLayout for Log4jV2. -By including it here as a dependency we can make sure that we always have -the matching version and we don't need to include it manually later in the -build. ---- - 0 files changed - -diff --git a/server/pom.xml b/server/pom.xml -index 6154ecfa4c..570059c4e8 100644 ---- a/server/pom.xml -+++ b/server/pom.xml -@@ -195,6 +195,11 @@ - org.apache.logging.log4j - log4j-core - -+ -+ -+ com.fasterxml.jackson.dataformat -+ jackson-dataformat-xml -+ - - com.fasterxml.jackson.datatype - jackson-datatype-joda diff --git a/druid/stackable/patches/28.0.1/06-dont-build-targz.patch b/druid/stackable/patches/28.0.1/06-dont-build-targz.patch deleted file mode 100644 index 1bed79fd1..000000000 --- a/druid/stackable/patches/28.0.1/06-dont-build-targz.patch +++ /dev/null @@ -1,23 +0,0 @@ -Stop building the tar.gz distribution. - -From: Lars Francke - -All we do is build Druid tar and gzip it only to immediately uncompress it -again. So, instead we just skip the compression step entirely. ---- - distribution/src/assembly/assembly.xml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/distribution/src/assembly/assembly.xml b/distribution/src/assembly/assembly.xml -index ff8e0d2fdd..f9daa49e21 100644 ---- a/distribution/src/assembly/assembly.xml -+++ b/distribution/src/assembly/assembly.xml -@@ -23,7 +23,7 @@ - xsi:schemaLocation="http://maven.apache.org/ASSEMBLY/2.0.0 http://maven.apache.org/xsd/assembly-2.0.0.xsd"> - bin - -- tar.gz -+ dir - - - diff --git a/druid/stackable/patches/28.0.1/07-cyclonedx-plugin.patch b/druid/stackable/patches/28.0.1/07-cyclonedx-plugin.patch deleted file mode 100644 index 33ce3cf92..000000000 --- a/druid/stackable/patches/28.0.1/07-cyclonedx-plugin.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/pom.xml b/pom.xml -index ff6ee97..8c99ed3 100644 ---- a/pom.xml -+++ b/pom.xml -@@ -1646,7 +1646,11 @@ - - org.cyclonedx - cyclonedx-maven-plugin -- 2.7.9 -+ 2.8.0 -+ -+ application -+ 1.5 -+ - - - package diff --git a/druid/stackable/patches/28.0.1/series b/druid/stackable/patches/28.0.1/series deleted file mode 100644 index 55d55e5c3..000000000 --- a/druid/stackable/patches/28.0.1/series +++ /dev/null @@ -1,8 +0,0 @@ -# This series applies on Git commit b8201e31aa6b124049a61764309145baaad78db7 -01-remove-ranger-security.patch -02-prometheus-emitter-from-source.patch -03-stop-building-unused-extensions.patch -04-update-patch-dependencies.patch -05-xmllayout-dependencies.patch -06-dont-build-targz.patch -07-cyclonedx-plugin.patch diff --git a/druid/stackable/patches/30.0.0/08-CVE-2024-36114-bump-aircompressor-0-27.patch b/druid/stackable/patches/30.0.0/08-CVE-2024-36114-bump-aircompressor-0-27.patch new file mode 100644 index 000000000..04999a574 --- /dev/null +++ b/druid/stackable/patches/30.0.0/08-CVE-2024-36114-bump-aircompressor-0-27.patch @@ -0,0 +1,37 @@ +Fix CVE-2024-36114 +see https://github.com/stackabletech/vulnerabilities/issues/834 + +Aircompressor is a library with ports of the Snappy, LZO, LZ4, and +Zstandard compression algorithms to Java. All decompressor +implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash +the JVM for certain input, and in some cases also leak the content of +other memory of the Java process (which could contain sensitive +information). When decompressing certain data, the decompressors try to +access memory outside the bounds of the given byte arrays or byte +buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to +speed up memory access, no additional bounds checks are performed and +this has similar security consequences as out-of-bounds access in C or +C++, namely it can lead to non-deterministic behavior or crash the JVM. +Users should update to Aircompressor 0.27 or newer where these issues +have been fixed. When decompressing data from untrusted users, this can +be exploited for a denial-of-service attack by crashing the JVM, or to +leak other sensitive information from the Java process. There are no +known workarounds for this issue. + +diff --git a/pom.xml b/pom.xml +index 9051ed24c5..e839295b61 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -283,6 +283,12 @@ + + + ++ ++ ++ io.airlift ++ aircompressor ++ 0.27 ++ + + + commons-codec diff --git a/druid/stackable/patches/30.0.0/series b/druid/stackable/patches/30.0.0/series index 61ae73e6e..0dc0d4cac 100644 --- a/druid/stackable/patches/30.0.0/series +++ b/druid/stackable/patches/30.0.0/series @@ -6,3 +6,4 @@ 05-xmllayout-dependencies.patch 06-dont-build-targz.patch 07-cyclonedx-plugin.patch +08-CVE-2024-36114-bump-aircompressor-0-27.patch From e26a29bdeed299ce7c65942716b449a8eced78be Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 11 Nov 2024 09:39:20 +0100 Subject: [PATCH 2/5] adapt changelog --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2094984a3..eb8f8f217 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -63,7 +63,7 @@ All notable changes to this project will be documented in this file. - hbase: link to phoenix server jar ([#811]). - trino: Correctly report Trino version ([#881]). -- druid: Fix CVE-2024-36114 in Hive `1.27.0` and `2.0.0` by upgrading a dependency. ([#xxx]). +- druid: Fix CVE-2024-36114 in Hive `1.27.0` and `2.0.0` by upgrading a dependency. ([#926]). [#783]: https://github.com/stackabletech/docker-images/pull/783 [#797]: https://github.com/stackabletech/docker-images/pull/797 @@ -107,7 +107,7 @@ All notable changes to this project will be documented in this file. [#914]: https://github.com/stackabletech/docker-images/pull/914 [#917]: https://github.com/stackabletech/docker-images/pull/917 [#920]: https://github.com/stackabletech/docker-images/pull/920 -[#xxx]: https://github.com/stackabletech/docker-images/pull/xxx +[#926]: https://github.com/stackabletech/docker-images/pull/926 ## [24.7.0] - 2024-07-24 From c02075954415a04b8ce25ba7ebb500868161a205 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 11 Nov 2024 09:40:09 +0100 Subject: [PATCH 3/5] fix changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eb8f8f217..b83f09c2b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -63,7 +63,7 @@ All notable changes to this project will be documented in this file. - hbase: link to phoenix server jar ([#811]). - trino: Correctly report Trino version ([#881]). -- druid: Fix CVE-2024-36114 in Hive `1.27.0` and `2.0.0` by upgrading a dependency. ([#926]). +- druid: Fix CVE-2024-36114 in Hive `26.0.0` and `30.0.0` by upgrading a dependency. ([#926]). [#783]: https://github.com/stackabletech/docker-images/pull/783 [#797]: https://github.com/stackabletech/docker-images/pull/797 From b9ee0cb5da8066c308eefe0f653a25edb0b521dd Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 11 Nov 2024 09:40:24 +0100 Subject: [PATCH 4/5] fix changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b83f09c2b..650e49c4a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -63,7 +63,7 @@ All notable changes to this project will be documented in this file. - hbase: link to phoenix server jar ([#811]). - trino: Correctly report Trino version ([#881]). -- druid: Fix CVE-2024-36114 in Hive `26.0.0` and `30.0.0` by upgrading a dependency. ([#926]). +- druid: Fix CVE-2024-36114 `26.0.0` and `30.0.0` by upgrading a dependency. ([#926]). [#783]: https://github.com/stackabletech/docker-images/pull/783 [#797]: https://github.com/stackabletech/docker-images/pull/797 From a54aaa743d7037a808321bd3d6206b3393de9c89 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Tue, 12 Nov 2024 10:59:05 +0100 Subject: [PATCH 5/5] Update CHANGELOG.md Co-authored-by: Siegfried Weber --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 650e49c4a..36e01d40f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -63,7 +63,7 @@ All notable changes to this project will be documented in this file. - hbase: link to phoenix server jar ([#811]). - trino: Correctly report Trino version ([#881]). -- druid: Fix CVE-2024-36114 `26.0.0` and `30.0.0` by upgrading a dependency. ([#926]). +- druid: Fix CVE-2024-36114 in Druid `26.0.0` and `30.0.0` by upgrading a dependency ([#926]). [#783]: https://github.com/stackabletech/docker-images/pull/783 [#797]: https://github.com/stackabletech/docker-images/pull/797