From 0a3f0f09916e5f4951c6243dc767a1ed4f171221 Mon Sep 17 00:00:00 2001
From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
Date: Wed, 13 Nov 2024 15:43:01 +0100
Subject: [PATCH 1/2] fix(hbase): CVE-34455
---
...CVE-2023-34455-update-snappy-version.patch | 97 +++++++++++++++++++
hbase/stackable/patches/phoenix/5.2.0/series | 1 +
2 files changed, 98 insertions(+)
create mode 100644 hbase/stackable/patches/phoenix/5.2.0/02-CVE-2023-34455-update-snappy-version.patch
diff --git a/hbase/stackable/patches/phoenix/5.2.0/02-CVE-2023-34455-update-snappy-version.patch b/hbase/stackable/patches/phoenix/5.2.0/02-CVE-2023-34455-update-snappy-version.patch
new file mode 100644
index 000000000..6b89037c8
--- /dev/null
+++ b/hbase/stackable/patches/phoenix/5.2.0/02-CVE-2023-34455-update-snappy-version.patch
@@ -0,0 +1,97 @@
+Fix CVE-2023-34455
+
+See https://github.com/stackabletech/vulnerabilities/issues/558
+
+diff --git a/phoenix-core-client/pom.xml b/phoenix-core-client/pom.xml
+index f711b0f6f..3cfbffef9 100644
+--- a/phoenix-core-client/pom.xml
++++ b/phoenix-core-client/pom.xml
+@@ -230,6 +230,12 @@
+ org.apache.hadoop
+ hadoop-auth
+
++
++
++ org.xerial.snappy
++ snappy-java
++ 1.1.10.4
++
+
+
+
+diff --git a/phoenix-core-server/pom.xml b/phoenix-core-server/pom.xml
+index d5032ece2..e47fb0837 100644
+--- a/phoenix-core-server/pom.xml
++++ b/phoenix-core-server/pom.xml
+@@ -59,6 +59,12 @@
+ org.apache.hadoop
+ hadoop-mapreduce-client-core
+
++
++
++ org.xerial.snappy
++ snappy-java
++ 1.1.10.4
++
+
+
+
+@@ -192,4 +198,4 @@
+
+
+
+-
+\ No newline at end of file
++
+diff --git a/phoenix-pherf/pom.xml b/phoenix-pherf/pom.xml
+index c03fff9a1..cdcce2f98 100644
+--- a/phoenix-pherf/pom.xml
++++ b/phoenix-pherf/pom.xml
+@@ -159,6 +159,12 @@
+ org.apache.hbase
+ hbase-server
+
++
++
++ org.xerial.snappy
++ snappy-java
++ 1.1.10.4
++
+
+
+
+diff --git a/phoenix-tracing-webapp/pom.xml b/phoenix-tracing-webapp/pom.xml
+index d2d1549ef..c8054159e 100755
+--- a/phoenix-tracing-webapp/pom.xml
++++ b/phoenix-tracing-webapp/pom.xml
+@@ -89,6 +89,12 @@
+ org.apache.hbase
+ hbase-common
+
++
++
++ org.xerial.snappy
++ snappy-java
++ 1.1.10.4
++
+
+
+
+diff --git a/pom.xml b/pom.xml
+index 4abcb5a28..21dcf71ad 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -850,6 +850,13 @@
+
+
+
++
++
++ org.xerial.snappy
++ snappy-java
++ 1.1.10.4
++
++
+
+ org.apache.hadoop
+ hadoop-common
diff --git a/hbase/stackable/patches/phoenix/5.2.0/series b/hbase/stackable/patches/phoenix/5.2.0/series
index 93ff84ea3..d6d838f2b 100644
--- a/hbase/stackable/patches/phoenix/5.2.0/series
+++ b/hbase/stackable/patches/phoenix/5.2.0/series
@@ -1 +1,2 @@
01-cyclonedx-plugin.patch
+02-CVE-2023-34455-update-snappy-version.patch
From c1877bc63e079503ca93731a82f1f01ad2003c4c Mon Sep 17 00:00:00 2001
From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
Date: Wed, 13 Nov 2024 15:44:55 +0100
Subject: [PATCH 2/2] update changelog
---
CHANGELOG.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index a474c0f58..3c4e95ee0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -70,6 +70,7 @@ All notable changes to this project will be documented in this file.
- nifi: Fix CVE-2024-36114 in NiFi `1.27.0` and `2.0.0` by upgrading a dependency. ([#924]).
- hbase: Fix CVE-2024-36114 in HBase `2.6.0` by upgrading a dependency. ([#925]).
- druid: Fix CVE-2024-36114 in Druid `26.0.0` and `30.0.0` by upgrading a dependency ([#926]).
+- hbase: Fix CVE-2023-34455 in HBase `2.4.18` by upgrading a dependency. ([#934]).
[#783]: https://github.com/stackabletech/docker-images/pull/783
[#797]: https://github.com/stackabletech/docker-images/pull/797
@@ -119,6 +120,7 @@ All notable changes to this project will be documented in this file.
[#924]: https://github.com/stackabletech/docker-images/pull/924
[#925]: https://github.com/stackabletech/docker-images/pull/925
[#926]: https://github.com/stackabletech/docker-images/pull/926
+[#934]: https://github.com/stackabletech/docker-images/pull/934
## [24.7.0] - 2024-07-24