Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2021-22569 #4545

Merged
merged 1 commit into from
Jan 17, 2022
Merged

Fix CVE-2021-22569 #4545

merged 1 commit into from
Jan 17, 2022

Conversation

pxLi
Copy link
Collaborator

@pxLi pxLi commented Jan 17, 2022

Signed-off-by: Peixin Li pxli@nyu.edu

pre-merge CI is blocked by vulnerability scan GHSA-wrvw-hg22-4m67

try update protobuf-java version to suggested version

@pxLi
Fix CVE-2021-22569
a7054bf 
Signed-off-by: Peixin Li <pxli@nyu.edu>
@pxLi pxLi added the bug Something isn't working label Jan 17, 2022
@pxLi
Copy link
Collaborator Author

pxLi commented Jan 17, 2022

build

@pxLi
Copy link
Collaborator Author

pxLi commented Jan 17, 2022

Spark runtime use 2.5.0 version, so we use the specific version till now.

NVIDIA blackduck scan does not allow vulnerability of direct dependencies, so I bumped the version here to unblock the pre-merge CI if test could pass.

The real fix will be #4408 which will remove several direct dependencies including protobuf-java

@pxLi pxLi merged commit afdb2a8 into NVIDIA:branch-22.02 Jan 17, 2022
@tgravescs tgravescs mentioned this pull request Jan 18, 2022
Closed
@tgravescs
Copy link
Collaborator

so I'm not sure I like changing this right before the 22.02 release. #4408 is scheduled for 22.04.
It builds and tests run so maybe its ok but we going from a 2.x to a 3.x and I think we should look at compatibility or what exactly we are using this for. #4551

@pxLi
Copy link
Collaborator Author

pxLi commented Jan 19, 2022

so I'm not sure I like changing this right before the 22.02 release. #4408 is scheduled for 22.04. It builds and tests run so maybe its ok but we going from a 2.x to a 3.x and I think we should look at compatibility or what exactly we are using this for. #4551

yeah, this should just be a temp fix to unblock CI. We should go for some mature fix

pxLi added a commit to pxLi/spark-rapids that referenced this pull request Jan 20, 2022
@pxLi
Revert "Fix CVE-2021-22569 (NVIDIA#4545)"
e6f4050 
This reverts commit afdb2a8.

Signed-off-by: Peixin Li <pxli@nyu.edu>
@pxLi pxLi mentioned this pull request Jan 20, 2022
Merged
pxLi added a commit that referenced this pull request Jan 20, 2022
@pxLi
Revert "Fix CVE-2021-22569 (#4545)" (#4577)
db89199 
This reverts commit afdb2a8.

Signed-off-by: Peixin Li <pxli@nyu.edu>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zhanga5 zhanga5 zhanga5 approved these changes

@GaryShen2008 GaryShen2008 Awaiting requested review from GaryShen2008 GaryShen2008 is a code owner

@jlowe jlowe Awaiting requested review from jlowe jlowe is a code owner

@NvTimLiu NvTimLiu Awaiting requested review from NvTimLiu NvTimLiu is a code owner

@revans2 revans2 Awaiting requested review from revans2 revans2 is a code owner

@tgravescs tgravescs Awaiting requested review from tgravescs tgravescs is a code owner

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pxLi @tgravescs @zhanga5