Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade libthrift to 0.14.1 due CVE-2020-13949 #24462

Merged
merged 1 commit into from
Feb 19, 2025
Merged

Upgrade libthrift to 0.14.1 due CVE-2020-13949 #24462

merged 1 commit into from
Feb 19, 2025

Conversation

denodo-research-labs
Copy link
Contributor

@denodo-research-labs denodo-research-labs commented Jan 30, 2025
edited
Loading

Description

Fix CVE-2018-1320, CVE-2019-0205, CVE-2019-0210 and CVE-2020-13949.

The version chosen is 0.14.1, although more recent versions exist, because it does not have CRITICAL and HIGH severity CVEs and has been tested in several scenarios with different versions of Hive Metastore.

Fix for #18026

Motivation and Context

The PR upgrades libthrift version to address known CVEs.

Exception made for Accumulo connector, since the version of Accumulo used is not compatible with newer versions of libthrift.

Impact

Dependency org.apache.thrift:libthrift:0.9.3 has four HIGH vulnerabilities:

https://nvd.nist.gov/vuln/detail/CVE-2018-1320
https://nvd.nist.gov/vuln/detail/CVE-2019-0205
https://nvd.nist.gov/vuln/detail/CVE-2019-0210
https://nvd.nist.gov/vuln/detail/CVE-2020-13949

Contributor checklist

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
* Upgrade libthrift to 0.14.1 in response to `CVE-2020-13949 <https://github.com/advisories/GHSA-g2fg-mr77-6vrm>`_

@denodo-research-labs denodo-research-labs requested a review from a team as a code owner January 30, 2025 10:40
czentgr
czentgr reviewed Jan 30, 2025
View reviewed changes
Copy link
Contributor

@czentgr czentgr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rebase.

Also, is there a plan to take a look at accumulo to see if thrift can be upgraded for that as well?

@denodo-research-labs
Copy link
Contributor Author

The community seems to have little interest in maintaining Accumulo, see #15837

imjalpreet
imjalpreet reviewed Feb 2, 2025
View reviewed changes
Copy link
Member

@imjalpreet imjalpreet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@denodo-research-labs thanks for the fix! LGTM, just some nits.

@steveburnett
Copy link
Contributor

New release note guidelines as of last week: PR #24354 automatically adds links to this PR to the release notes. Please remove the manual PR link in the following format from the release note entries for this PR.

:pr:`12345`

I have updated the Release Notes Guidelines to remove the examples of manually adding the PR link.

imjalpreet
imjalpreet previously approved these changes Feb 6, 2025
View reviewed changes
@tdcmeehan tdcmeehan self-assigned this Feb 6, 2025
jaystarshot
jaystarshot reviewed Feb 13, 2025
View reviewed changes
presto-hive-metastore/src/main/java/com/facebook/presto/hive/metastore/thrift/Transport.java
@Override
public void updateKnownMessageSize(long size)
throws TTransportException
{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

throw new UnsupportedOperationException("Not implemented");

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does transport not have these methods? (transport.updateKnownMessageSize)?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or just leave a noop comment if its noop

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

presto-hive-metastore/src/main/java/com/facebook/presto/hive/metastore/thrift/Transport.java
@Override
public void checkReadBytesAvailable(long numBytes)
throws TTransportException
{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

throw new UnsupportedOperationException("Not implemented");

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added noop comment

@jaystarshot jaystarshot merged commit d6c5af6 into prestodb:master Feb 19, 2025
53 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@czentgr czentgr czentgr left review comments

@jaystarshot jaystarshot jaystarshot approved these changes

@imjalpreet imjalpreet imjalpreet left review comments

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

Assignees

@tdcmeehan tdcmeehan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@denodo-research-labs @steveburnett @imjalpreet @jaystarshot @czentgr @tdcmeehan