Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GH-15865] Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr-posix (overriding org.python.core.imp class from Jython with custom changes, search for CUSTOM CHANGE) #15866

Merged
merged 3 commits into from
Oct 30, 2023
Merged

[GH-15865] Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr-posix (overriding org.python.core.imp class from Jython with custom changes, search for CUSTOM CHANGE) #15866

merged 3 commits into from
Oct 30, 2023

Conversation

mn-mikke
Copy link
Collaborator

@mn-mikke mn-mikke commented Oct 24, 2023
edited
Loading

Closes #15865

See #15865 for the details about problem. jnr-posix is not reported by gradle as other transitive dependencies, but with the upgrade of Jython to 2.7.3, we get the following from META-INF/maven/com.github.jnr/jnr-posix/pom.properties of h2o.jar

#Generated by Maven
#Thu Jan 06 10:51:33 CST 2022
groupId=com.github.jnr
artifactId=jnr-posix
version=3.1.15

The version jnr-posix:3.1.15 shouldn't suffer from the vulnerability. (https://security.snyk.io/vuln/SNYK-JAVA-COMGITHUBJNR-1570422)

@mn-mikke mn-mikke changed the base branch from master to rel-3.44.0 October 24, 2023 17:41
krasinski
krasinski previously approved these changes Oct 24, 2023
View reviewed changes
Copy link
Contributor

@krasinski krasinski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

valenad1
valenad1 previously approved these changes Oct 26, 2023
View reviewed changes
Copy link
Collaborator

@valenad1 valenad1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good finding, thanks!

@mn-mikke mn-mikke dismissed stale reviews from valenad1 and krasinski via ae2517b October 26, 2023 21:03
valenad1
valenad1 approved these changes Oct 30, 2023
View reviewed changes
Copy link
Collaborator

@valenad1 valenad1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@mn-mikke mn-mikke changed the title [GH-15865] Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr-posix [GH-15865] Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr-posix (overriding org.python.core.imp class from Jython with custom changes, search for CUSTOM CHANGE) Oct 30, 2023
@mn-mikke mn-mikke merged commit cd38506 into rel-3.44.0 Oct 30, 2023
1 of 2 checks passed
@mn-mikke mn-mikke deleted the mn/GH-15865 branch October 30, 2023 11:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@valenad1 valenad1 valenad1 approved these changes

@wendycwong wendycwong Awaiting requested review from wendycwong

@krasinski krasinski Awaiting requested review from krasinski

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr-posix
3 participants
@mn-mikke @krasinski @valenad1