Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Fix: Okio CVE-2023-3635 + OkHttp Jar Update #23796

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Security Fix: Okio CVE-2023-3635 + OkHttp Jar Update #23796

wants to merge 1 commit into from
+701 −7

Conversation

Mariamalmesfer
Copy link
Contributor

@Mariamalmesfer Mariamalmesfer commented Oct 9, 2024
edited
Loading

Description

This PR fixes the Okio security vulnerability (CVE-2023-3635) by upgrading from version 1.17.2 to 3.6.0. It also includes an update to the OkHttp jar from 3.9.0 to 4.12.0

Motivation and Context

A flaw was found in Okio’s GzipSource class that doesn’t handle exceptions properly, allowing potential Denial of Service (DoS) attacks with malformed files.

CVE-2023-3635: Details

Impact

Image Scan showed the vulnerability have been removed.
correlation-report-ibm-lh-presto-okie check.csv

Test Plan

Contributor checklist

  • Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

 == RELEASE NOTES == =
Security Changes
* Upgrade okio to 3.6.0 in response to `CVE-2023-3635 <https://github.com/advisories/GHSA-w33c-445m-f8w7>`_. :pr:`23796`
* Upgrade okhttp to 4.12.0 in response to `CVE-2023-3635 <https://github.com/advisories/GHSA-w33c-445m-f8w7>`_.  :pr:`23796`

@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Oct 9, 2024
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: Mariamalmesfer / name: Mariam AlMesfer (4bbd3de)

@Mariamalmesfer Mariamalmesfer force-pushed the okie-fix branch 2 times, most recently from 1e17bcc to 8bed2f9 Compare October 13, 2024 09:24
@Mariamalmesfer Mariamalmesfer marked this pull request as ready for review October 13, 2024 09:34
@Mariamalmesfer Mariamalmesfer requested a review from a team as a code owner October 13, 2024 09:34
@ZacBlanco ZacBlanco self-requested a review October 14, 2024 17:14
@Mariamalmesfer Mariamalmesfer force-pushed the okie-fix branch 3 times, most recently from f8715a8 to e3b47f0 Compare October 15, 2024 13:51
@Mariamalmesfer Mariamalmesfer marked this pull request as draft October 24, 2024 08:04
@Mariamalmesfer Mariamalmesfer force-pushed the okie-fix branch 5 times, most recently from e13efb9 to dab801a Compare November 4, 2024 06:46
@steveburnett
Copy link
Contributor

Thanks for the release note entry! Nit to remove # from the PR number.

 == RELEASE NOTES == =

Security Changes
* Upgrade okio to 3.6.0 :pr:`23796`
* Upgrade okhttp to 4.12.0 :pr:`23796`

@Mariamalmesfer Mariamalmesfer force-pushed the okie-fix branch 12 times, most recently from af5b4c3 to ef04384 Compare November 7, 2024 22:14
@Mariamalmesfer Mariamalmesfer force-pushed the okie-fix branch 7 times, most recently from 5de7a82 to a0525f5 Compare December 10, 2024 21:41
@Mariamalmesfer Mariamalmesfer force-pushed the okie-fix branch 2 times, most recently from 5549d70 to 472111e Compare December 25, 2024 10:32
@Mariamalmesfer Mariamalmesfer force-pushed the okie-fix branch 4 times, most recently from 9b55b09 to 83aa236 Compare January 15, 2025 18:18
@Mariamalmesfer Mariamalmesfer marked this pull request as ready for review January 15, 2025 20:22
aaneja
aaneja reviewed Jan 17, 2025
View reviewed changes
presto-client/src/main/java/okhttp/internal/tls/DistinguishedNameParser.java
* A distinguished name (DN) parser. This parser only supports extracting a string value from a DN.
* It doesn't support values in the hex-string style.
*/
final class DistinguishedNameParser
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a direct like to the OkHttp code this was copied from

ZacBlanco
ZacBlanco reviewed Jan 17, 2025
View reviewed changes
pom.xml Show resolved Hide resolved
pom.xml Show resolved Hide resolved
@Mariamalmesfer Mariamalmesfer force-pushed the okie-fix branch 2 times, most recently from 85bca20 to f3d345d Compare January 21, 2025 09:53
aaneja
aaneja previously approved these changes Jan 22, 2025
View reviewed changes
@Mariamalmesfer Mariamalmesfer force-pushed the okie-fix branch 2 times, most recently from 72a9e67 to d4aee3e Compare January 22, 2025 10:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ZacBlanco ZacBlanco ZacBlanco approved these changes

@aaneja aaneja aaneja approved these changes

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

@zuyu zuyu Awaiting requested review from zuyu zuyu was automatically assigned from prestodb/ibm-reviewers

@infvg infvg Awaiting requested review from infvg infvg was automatically assigned from prestodb/ibm-reviewers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
from:IBM PR from IBM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Mariamalmesfer @steveburnett @aaneja @ZacBlanco @prestodb-ci