Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump aws sdk to version 2.30.18 to mitigate CVE-2025-24970 #3565

Closed
wants to merge 2 commits into from
Closed

Bump aws sdk to version 2.30.18 to mitigate CVE-2025-24970 #3565

wants to merge 2 commits into from

Conversation

peterzhuamazon
Copy link
Member

Description

Bump aws sdk to version 2.30.18 to mitigate CVE-2025-24970

Related Issues

opensearch-project/opensearch-build#5323

Check List

  • [ ] New functionality includes testing.
  • [ ] New functionality has been documented.
  • [ ] API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • [ ] Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@peterzhuamazon peterzhuamazon self-assigned this Feb 19, 2025
@peterzhuamazon peterzhuamazon mentioned this pull request Feb 19, 2025
Open
64 tasks
@peterzhuamazon peterzhuamazon had a problem deploying to ml-commons-cicd-env-require-approval February 19, 2025 21:35 — with GitHub Actions Error
@peterzhuamazon peterzhuamazon had a problem deploying to ml-commons-cicd-env-require-approval February 19, 2025 21:35 — with GitHub Actions Failure
@peterzhuamazon peterzhuamazon had a problem deploying to ml-commons-cicd-env-require-approval February 19, 2025 21:35 — with GitHub Actions Failure
@peterzhuamazon peterzhuamazon had a problem deploying to ml-commons-cicd-env-require-approval February 19, 2025 21:35 — with GitHub Actions Error
@peterzhuamazon
More bumps
ecbb727 
Signed-off-by: Peter Zhu <[email protected]>
@peterzhuamazon peterzhuamazon had a problem deploying to ml-commons-cicd-env-require-approval February 19, 2025 21:45 — with GitHub Actions Error
@peterzhuamazon peterzhuamazon deployed to ml-commons-cicd-env-require-approval February 19, 2025 21:45 — with GitHub Actions Active
@peterzhuamazon peterzhuamazon had a problem deploying to ml-commons-cicd-env-require-approval February 19, 2025 21:45 — with GitHub Actions Failure
@peterzhuamazon peterzhuamazon temporarily deployed to ml-commons-cicd-env-require-approval February 19, 2025 21:45 — with GitHub Actions Inactive
dhrubo-os
dhrubo-os reviewed Feb 19, 2025
View reviewed changes
ml-algorithms/build.gradle
implementation 'software.amazon.awssdk:apache-client'
implementation ('com.amazonaws:aws-encryption-sdk-java:2.4.1') {
exclude group: 'org.bouncycastle', module: 'bcprov-ext-jdk18on'
}
implementation 'org.bouncycastle:bcprov-jdk18on:1.78.1'

compileOnly group: 'software.amazon.awssdk', name: 'aws-core', version: '2.30.18'
compileOnly group: 'software.amazon.awssdk', name: 's3', version: '2.29.12'
compileOnly group: 'software.amazon.awssdk', name: 'regions', version: '2.29.12'
compileOnly group: 'software.amazon.awssdk', name: 's3', version: '2.30.18'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does core uses awssdk? I was wondering if we could use something like implementation("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}") so that we don't have to worry about version from plugin level?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Core did have a pointer here: https://github.com/opensearch-project/OpenSearch/blob/main/gradle/libs.versions.toml#L55

However, netty has its own pointer so they just updated netty directly:
opensearch-project/OpenSearch@c82fffe

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will update core to the new version first.

@rithin-pullela-aws rithin-pullela-aws mentioned this pull request Feb 19, 2025
Closed
5 tasks
@peterzhuamazon peterzhuamazon mentioned this pull request Feb 20, 2025
Merged
5 tasks
@peterzhuamazon
Copy link
Member Author

Close in favor of this PR:

Also pending core upgrade as newer version of aws sdk has more dependencies on core.

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhrubo-os dhrubo-os dhrubo-os left review comments

@b4sjoo b4sjoo Awaiting requested review from b4sjoo b4sjoo is a code owner

@mingshl mingshl Awaiting requested review from mingshl mingshl is a code owner

@jngz-es jngz-es Awaiting requested review from jngz-es jngz-es is a code owner

@model-collapse model-collapse Awaiting requested review from model-collapse model-collapse is a code owner

@rbhavna rbhavna Awaiting requested review from rbhavna rbhavna is a code owner

@ylwu-amzn ylwu-amzn Awaiting requested review from ylwu-amzn ylwu-amzn is a code owner

@zane-neo zane-neo Awaiting requested review from zane-neo zane-neo is a code owner

@Zhangxunmt Zhangxunmt Awaiting requested review from Zhangxunmt Zhangxunmt is a code owner

@austintlee austintlee Awaiting requested review from austintlee austintlee is a code owner

@HenryL27 HenryL27 Awaiting requested review from HenryL27 HenryL27 is a code owner

@xinyual xinyual Awaiting requested review from xinyual xinyual is a code owner

Assignees

@peterzhuamazon peterzhuamazon

Labels
backport 2.x backport 2.19 release
Projects
Engineering Effectiveness Board
Status: ✅ Done
OpenSearch Engineering Effectiveness
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@peterzhuamazon @dhrubo-os