Skip to content

[fs] Force CVE-patched commons-lang3 and snappy-java in hadoop-shaded#8560

Open
thswlsqls wants to merge 1 commit into
apache:masterfrom
thswlsqls:fix/hadoop-shaded-cve-dep-versions
Open

[fs] Force CVE-patched commons-lang3 and snappy-java in hadoop-shaded#8560
thswlsqls wants to merge 1 commit into
apache:masterfrom
thswlsqls:fix/hadoop-shaded-cve-dep-versions

Conversation

@thswlsqls

Copy link
Copy Markdown
Contributor

Purpose

fix #8558

  • paimon-hadoop-shaded's NOTICE declares commons-lang3:3.18.0 and snappy-java:1.1.10.8, but the shaded jar bundled the transitive 3.12.0 / 1.1.8.2 from hadoop-common:3.3.4 — the CVE fixes [core] Bump commons-lang3 to version 3.18.0 to avoid CVE-2025-48924 #6781 (CVE-2025-48924) and [core] upgrade snappy-java to 1.1.10.8 due to CVE #7383 only touched NOTICE / an inert root property, so they never reached this artifact.
  • Add dependencyManagement overrides pinning both to the versions the NOTICE already declares, mirroring the existing commons-beanutils security bump in the same pom. No NOTICE change needed.
  • Fix propagates to paimon-hadoop-uber and the oss/s3/obs/cosn/azure -impl modules, which bundle hadoop through this module.

Tests

  • Build-config change (no runtime behavior), same shape as the existing commons-beanutils bump — no unit test added.
  • mvn -pl paimon-filesystems/paimon-hadoop-shaded dependency:tree now resolves commons-lang3:3.18.0 and snappy-java:1.1.10.8.
  • mvn -pl paimon-filesystems/paimon-hadoop-shaded clean install passes (shade + checkstyle + rat); the shaded jar bundles commons-lang3 3.18.0 and snappy-java 1.1.10.8.

The paimon-hadoop-shaded NOTICE already declares commons-lang3:3.18.0
and snappy-java:1.1.10.8 (from CVE fixes apache#6781 and apache#7383), but the
shaded jar still bundled hadoop-common 3.3.4's transitive 3.12.0 and
1.1.8.2 because those versions were never pinned here. Add
dependencyManagement overrides (mirroring the existing commons-beanutils
security bump) so the shaded jar bundles the versions the NOTICE claims.

Generated-by: Claude Code
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug] paimon-hadoop-shaded bundles vulnerable commons-lang3/snappy-java despite NOTICE declaring patched versions

1 participant