hive icon indicating copy to clipboard operation
hive copied to clipboard
verified publisher icon apache

HIVE-28245. Upgrade Spring to 5.3.27 due to CVE.

Open slfan1989 opened this issue 1 year ago • 4 comments

What changes were proposed in this pull request?

JIRA: HIVE-28245. Upgrade Spring to 5.3.27 due to CVE.

I found that there are 2 CVE issues in the current Spring version, CVE-2023-20863 and CVE-2023-20861; we can upgrade the Spring version to 5.3.27 to solve this issue.

CVE-2023-20861

CVE-2023-20863

Why are the changes needed?

We need to upgrade to resolve CVE Issue.

Does this PR introduce any user-facing change?

No.

Is the change a dependency upgrade?

No.

How was this patch tested?

Compile locally

slfan1989 avatar May 05 '24 05:05 slfan1989

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

sonarqubecloud[bot] avatar May 05 '24 06:05 sonarqubecloud[bot]

Thanks for the PR @slfan1989. As this is a dependency upgrade, can you change the description and based on HIVE-27419, can you attach the dependency tree in the PR?

Aggarwal-Raghav avatar May 06 '24 14:05 Aggarwal-Raghav 

org.apache.atlas:atlas-intg:jar:2.3.0:compile
[INFO] |  |  |  |  +- commons-validator:commons-validator:jar:1.6:compile
[INFO] |  |  |  |  |  \- commons-digester:commons-digester:jar:1.8.1:compile
[INFO] |  |  |  |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.16.1:compile
[INFO] |  |  |  |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  |  |  |  \- org.springframework:spring-context:jar:5.3.21:compile
[INFO] |  |  |  |     +- org.springframework:spring-aop:jar:5.3.21:compile
[INFO] |  |  |  |     +- org.springframework:spring-beans:jar:5.3.21:compile
[INFO] |  |  |  |     \- org.springframework:spring-expression:jar:5.3.21:compile

atlas is still bringing spring 5.3.21 and due to it, lib dir contains both the version of spring.

spring-aop-5.3.21.jar
spring-beans-5.3.21.jar
spring-context-5.3.21.jar
spring-core-5.3.27.jar
spring-expression-5.3.21.jar
spring-jcl-5.3.27.jar
spring-jdbc-5.3.27.jar
spring-tx-5.3.27.jar

Aggarwal-Raghav avatar May 06 '24 14:05 Aggarwal-Raghav

Thanks for the PR @slfan1989. As this is a dependency upgrade, can you change the description and based on HIVE-27419, can you attach the dependency tree in the PR?

Thank you for suggestions! I will continue to improve this pr.

slfan1989 avatar May 07 '24 00:05 slfan1989

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Feel free to reach out on the [email protected] list if the patch is in need of reviews.

github-actions[bot] avatar Jul 07 '24 00:07 github-actions[bot]

Superseded by https://github.com/apache/hive/pull/5435

zhangbutao avatar Oct 12 '24 16:10 zhangbutao