You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by GitBox <gi...@apache.org> on 2022/01/08 15:34:36 UTC
[GitHub] [drill] kingswanwho opened a new pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
kingswanwho opened a new pull request #2425:
URL: https://github.com/apache/drill/pull/2425
# [DRILL-8104](https://issues.apache.org/jira/browse/DRILL-8104): Upgrade protobuf-java because of CVE-2021-22569
## Description
Upgrade protobuf-java from version 3.11.1 to 3.16.1 because of CVE-2021-22569
## Documentation
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67
## Testing
Check dependency by mvn, and all dependencies of protobuf has upgraded to 3.16.1.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho edited a comment on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho edited a comment on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1010708407
Hi @vvysotskyi, when I build drill on my local by using Java 8, build failed with same issue which reported in gihub CI either:
> This is likely due to you adding new dependencies to a java-exec and not updating the excludes in this module. This is important as it minimizes the size of the dependency of Drill application users.
/home/parallels/Code/drill/exec/jdbc-all/target/drill-jdbc-all-1.20.0-SNAPSHOT.jar size (46602310) too large. Max. is 46600000/home/parallels/Code/drill/exec/jdbc-all/target/drill-jdbc-all-1.20.0-SNAPSHOT.jar
And Java 17 also has this issue, should we increase the max size of dependency, some exclude some dependency like: https://github.com/apache/drill/pull/1486
Thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho edited a comment on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho edited a comment on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1010881586
> > Yes, please increase the limit, it is ok to do that for this case.
>
> Sure, drill build by JDK 11 passed, and generated protobuf files for 3.16.1. I will increase the limit, and submit a new commit with those two updates.
Seems files in
> /contrib/native/client/src/include/drill/protobuf/
need to be update either, and before generating protobuf, main build has to be finished first, otherwise, some files like
> /contrib/native/client/src/include/drill/protobuf/Types.pb.h
cannot be generated. I will try this then.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho commented on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho commented on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1008183488
> Please also update protobuf version in `.github/workflows/ci.yml`
Thank you so much for your reminder, resolved.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] cgivre merged pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
cgivre merged pull request #2425:
URL: https://github.com/apache/drill/pull/2425
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho edited a comment on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho edited a comment on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1010708407
Hi @vvysotskyi, when I build drill on my local by using Java 8, build failed with same issue which reported in gihub CI either:
`This is likely due to you adding new dependencies to a java-exec and not updating the excludes in this module. This is important as it minimizes the size of the dependency of Drill application users.
/home/parallels/Code/drill/exec/jdbc-all/target/drill-jdbc-all-1.20.0-SNAPSHOT.jar size (46602310) too large. Max. is 46600000/home/parallels/Code/drill/exec/jdbc-all/target/drill-jdbc-all-1.20.0-SNAPSHOT.jar`
And Java 17 also has this issue, should we increase the max size of dependency, some exclude some dependency like: https://github.com/apache/drill/pull/1486
Thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho edited a comment on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho edited a comment on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1010065143
> @kingswanwho, yes, please update it also for `contrib/native/client/src/protobuf`. Regarding build failure, you can either regenerate classes locally or copy the output of the job starting after this line:
>
> ```
> The following changes are found in files after regenerating protobufs (output may be used as a patchto apply):
> ```
Hi @vvysotskyi , thanks for your instruction, many lines are changed, I am afraid I could miss something if I copy the change directly, so I am building on my local. Due to the network problem, it wastes some time. I hope I could finish build ASAP.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho commented on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho commented on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1013228280
Hi @vvysotskyi, all CI checks have passed, could you please give another review, thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] vvysotskyi commented on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
vvysotskyi commented on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1008264094
@kingswanwho, please fix the build. With the new version generated proto classes were changed, so please apply patch from the `Github CI / Run checkstyle and generate protobufs` job output.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] vvysotskyi commented on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
vvysotskyi commented on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1008780966
@kingswanwho, yes, please update it also for `contrib/native/client/src/protobuf`. Regarding build failure, you can either regenerate classes locally or copy the output of the job starting after this line:
```
The following changes are found in files after regenerating protobufs (output may be used as a patchto apply):
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho commented on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho commented on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1008584600
> @kingswanwho, please fix the build. With the new version generated proto classes were changed, so please apply patch from the `Github CI / Run checkstyle and generate protobufs` job output.
Hi @vvysotskyi, I found that protobuf build files in "contrib/native/client/src/protobuf" are still in 3.11.1 version. However,
CI environment would regenerate 3.16.1 version build files, CI would diff those two versions, and error get throw. I am trying to regenerate protobuf on my local, and use the new build files to replace the old one.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] vvysotskyi commented on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
vvysotskyi commented on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1010769955
Yes, please increase the limit, it is ok to do that for this case.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho commented on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho commented on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1010790689
> Yes, please increase the limit, it is ok to do that for this case.
Sure, drill build by JDK 11 passed, and generated protobuf files for 3.16.1. I will increase the limit, and submit a new commit with those two updates.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho commented on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho commented on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1011843235
protobuf version in travis.yml CI script also needs to be updated, submit the update and squash 4 commits together
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho commented on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho commented on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1010708407
Hi @vvysotskyi, when I build drill on my local by using Java 8, build failed with same issue which reported in gihub CI either:
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho commented on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho commented on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1010881586
> > Yes, please increase the limit, it is ok to do that for this case.
>
> Sure, drill build by JDK 11 passed, and generated protobuf files for 3.16.1. I will increase the limit, and submit a new commit with those two updates.
Seems files in
> /contrib/native/client/src/include/drill/protobuf/
need to be update either, and before generating protobuf, main build has to be builded first, otherwise, some files like
> /contrib/native/client/src/include/drill/protobuf/Types.pb.h
cannot be generated. I will try this then.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho edited a comment on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho edited a comment on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1010708407
Hi @vvysotskyi, when I build drill on my local by using JDK 8, build failed with same issue which reported in gihub CI either:
> This is likely due to you adding new dependencies to a java-exec and not updating the excludes in this module. This is important as it minimizes the size of the dependency of Drill application users.
/home/parallels/Code/drill/exec/jdbc-all/target/drill-jdbc-all-1.20.0-SNAPSHOT.jar size (46602310) too large. Max. is 46600000/home/parallels/Code/drill/exec/jdbc-all/target/drill-jdbc-all-1.20.0-SNAPSHOT.jar
JDK 17 also has this issue, should we increase the max size of dependency, or exclude some dependency like: https://github.com/apache/drill/pull/1486.
And I am trying to use JDK 11 to build drill which can pass build in github CI, and use this environment to generate:
> contrib/native/client/src/protobuf
Thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho edited a comment on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho edited a comment on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1011843235
Hi @vvysotskyi, protobuf version in travis.yml CI script also needs to be updated, submit the update and squash 4 commits together.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho commented on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho commented on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1010065143
> @kingswanwho, yes, please update it also for `contrib/native/client/src/protobuf`. Regarding build failure, you can either regenerate classes locally or copy the output of the job starting after this line:
>
> ```
> The following changes are found in files after regenerating protobufs (output may be used as a patchto apply):
> ```
Hi @vvysotskyi , thanks for your instruction, many lines are changed, I am afraid I would miss something, so I am building on my local. Due to the network problem, it wastes some time. I hope I could finish build ASAP.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] vvysotskyi commented on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
vvysotskyi commented on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1008104082
Please also update protobuf version in `.github/workflows/ci.yml`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho edited a comment on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho edited a comment on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1010881586
> > Yes, please increase the limit, it is ok to do that for this case.
>
> Sure, drill build by JDK 11 passed, and generated protobuf files for 3.16.1. I will increase the limit, and submit a new commit with those two updates.
Seems files in
> /contrib/native/client/src/include/drill/protobuf/
and
> /protocol/src/main/java/org/apache/drill/common/types/
need to be updated either.
I guess main build has to be finished first, and run protobuf build. Otherwise, files in those two paths cannot be regenerated. I will try this then.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [drill] kingswanwho edited a comment on pull request #2425: DRILL-8104: Upgrade protobuf-java because of CVE-2021-22569
Posted by GitBox <gi...@apache.org>.
kingswanwho edited a comment on pull request #2425:
URL: https://github.com/apache/drill/pull/2425#issuecomment-1010708407
Hi @vvysotskyi, when I build drill on my local by using JDK 8, build failed with same issue which reported in gihub CI either:
> This is likely due to you adding new dependencies to a java-exec and not updating the excludes in this module. This is important as it minimizes the size of the dependency of Drill application users.
/home/parallels/Code/drill/exec/jdbc-all/target/drill-jdbc-all-1.20.0-SNAPSHOT.jar size (46602310) too large. Max. is 46600000/home/parallels/Code/drill/exec/jdbc-all/target/drill-jdbc-all-1.20.0-SNAPSHOT.jar
And JDK 17 also has this issue, should we increase the max size of dependency, or exclude some dependency like: https://github.com/apache/drill/pull/1486
Thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org