Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update janino to 3.1.10 [5.3.z] #25094

Merged
merged 1 commit into from
Jul 31, 2023
Merged

Update janino to 3.1.10 [5.3.z] #25094

merged 1 commit into from
Jul 31, 2023

Conversation

frant-hartm
Copy link
Contributor

Fixes #24732 (CVE-2023-33546) in 5.3.z branch.

The fix in master should be to update calcite when they update their dependency to 3.1.10. If they don't publish such version before 5.4 release then we can forward-port this PR.

Checklist:

  • Labels (Team:, Type:, Source:, Module:) and Milestone set
  • Label Add to Release Notes or Not Release Notes content set
  • Request reviewers if possible

@frant-hartm
Update janino to 3.1.10 [5.3.z]
03ce053 
Fixes hazelcast#24732 (CVE-2023-33546) in 5.3.z branch.

The fix in master should be to update calcite when they update their
dependency to 3.1.10.
@frant-hartm frant-hartm added Source: Internal PR or issue was opened by an employee Add to Release Notes dependencies Pull requests that update a dependency file Team: Integration Module: Maven build labels Jul 27, 2023
@frant-hartm frant-hartm added this to the 5.3.z milestone Jul 27, 2023
@frant-hartm frant-hartm requested review from k-jamroz and a team July 27, 2023 09:41
@TomaszGaweda
Copy link
Contributor

run-nightly-tests

@TomaszGaweda
Copy link
Contributor

^ just to double check if that does not break any SQL IT test

@k-jamroz
Copy link
Contributor

Note that Janino "fixed" the issue by translating StackOverflowException to different exception - does not change anything from the security perspective, only silences the tools.

But anyway, Janino should be used only internally to generate some optimizer rules code. AFAIK it is not used to parse SQL statements, for that JavaCC-generated parser is used.

@frant-hartm frant-hartm merged commit 970d4d8 into hazelcast:5.3.z Jul 31, 2023
8 of 9 checks passed
@AyberkSorgun AyberkSorgun modified the milestones: 5.3.z, 5.3.2 Aug 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TomaszGaweda TomaszGaweda TomaszGaweda approved these changes

@k-jamroz k-jamroz k-jamroz approved these changes

Assignees
No one assigned
Labels
Add to Release Notes dependencies Pull requests that update a dependency file Module: Maven build Source: Internal PR or issue was opened by an employee Team: Integration
Projects
None yet
Milestone
5.3.2
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@frant-hartm @TomaszGaweda @k-jamroz @AyberkSorgun