Skip to content

celeborn-0.6/0.6.1-r0: cve remediation #69882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

celeborn-0.6/0.6.1-r0: cve remediation #69882

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Oct 23, 2025

celeborn-0.6/0.6.1-r0: fix GHSA-prj3-ccx8-p6x4

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/celeborn-0.6.advisories.yaml

⚠️ Deferred 6 Vulnerabilities

The following vulnerabilities are being deferred to future PRs (to avoid merge conflicts):

"Breadcrumbs" for this automated service

@octo-sts octo-sts bot added automated pr GHSA-prj3-ccx8-p6x4 maven/pombump request-cve-remediation celeborn-0.6 bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. auto-approver-bot/initial-checks-failed labels Oct 23, 2025
@catmsred catmsred self-assigned this Oct 27, 2025
@catmsred
Copy link
Member

catmsred commented Oct 27, 2025

Creation of celeborn-0.6 package from version streaming: #69794
Final CVE scan for that: https://github.com/wolfi-dev/os/runs/53503171217

@catmsred
Copy link
Member

catmsred commented Oct 27, 2025

Upstream: https://github.com/apache/celeborn

@catmsred
Copy link
Member

catmsred commented Oct 27, 2025

Remote scan results:

$ wolfictl scan --remote celeborn-0.6
📡 Finding remote packages
🔎 Scanning "/tmp/packages.wolfi.dev-os-aarch64-celeborn-0.6-0.6.1-r0.apk2439367277"
├── 📄 /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar
│       📦 commons-lang3 3.17.0 (java-archive)
│           Medium CVE-2025-48924 GHSA-j288-q9x7-2f5v fixed in 3.18.0
│       📦 jackson-core 2.12.7 (java-archive)
│           High CVE-2025-52999 GHSA-h46c-h94j-95f3 fixed in 2.15.0
│           Medium CVE-2025-49128 GHSA-wf8f-6423-gfxg fixed in 2.13.0
│       📦 jetty-http 9.4.57.v20241219 (java-archive)
│           Medium CVE-2024-6763 GHSA-qh8g-58pp-2wxh fixed in 12.0.12
│       📦 nimbus-jose-jwt 9.37.2 (java-archive)
│           Medium CVE-2025-53864 GHSA-xwmg-2g98-w7v9 fixed in 9.37.4
├── 📄 /usr/share/java/celeborn/jars/jetty-http-9.4.58.v20250814.jar
│       📦 jetty-http 9.4.58.v20250814 (java-archive)
│           Medium CVE-2024-6763 GHSA-qh8g-58pp-2wxh fixed in 12.0.12
└── 📄 /usr/share/java/celeborn/jars/ratis-thirdparty-misc-1.0.9.jar
        📦 netty-codec 4.1.119.Final (java-archive)
            Medium CVE-2025-58057 GHSA-3p8m-j85q-pgmj fixed in 4.1.125.Final
        📦 netty-codec-http 4.1.119.Final (java-archive)
            Low CVE-2025-58056 GHSA-fghv-69vj-qj49 fixed in 4.1.125.Final
        📦 netty-codec-http2 4.1.119.Final (java-archive)
            High CVE-2025-55163 GHSA-prj3-ccx8-p6x4 fixed in 4.1.124.Final

🔎 Scanning "/tmp/packages.wolfi.dev-os-x86_64-celeborn-0.6-0.6.1-r0.apk2084759746"
├── 📄 /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar
│       📦 commons-lang3 3.17.0 (java-archive)
│           Medium CVE-2025-48924 GHSA-j288-q9x7-2f5v fixed in 3.18.0
│       📦 jackson-core 2.12.7 (java-archive)
│           High CVE-2025-52999 GHSA-h46c-h94j-95f3 fixed in 2.15.0
│           Medium CVE-2025-49128 GHSA-wf8f-6423-gfxg fixed in 2.13.0
│       📦 jetty-http 9.4.57.v20241219 (java-archive)
│           Medium CVE-2024-6763 GHSA-qh8g-58pp-2wxh fixed in 12.0.12
│       📦 nimbus-jose-jwt 9.37.2 (java-archive)
│           Medium CVE-2025-53864 GHSA-xwmg-2g98-w7v9 fixed in 9.37.4
├── 📄 /usr/share/java/celeborn/jars/jetty-http-9.4.58.v20250814.jar
│       📦 jetty-http 9.4.58.v20250814 (java-archive)
│           Medium CVE-2024-6763 GHSA-qh8g-58pp-2wxh fixed in 12.0.12
└── 📄 /usr/share/java/celeborn/jars/ratis-thirdparty-misc-1.0.9.jar
        📦 netty-codec 4.1.119.Final (java-archive)
            Medium CVE-2025-58057 GHSA-3p8m-j85q-pgmj fixed in 4.1.125.Final
        📦 netty-codec-http 4.1.119.Final (java-archive)
            Low CVE-2025-58056 GHSA-fghv-69vj-qj49 fixed in 4.1.125.Final
        📦 netty-codec-http2 4.1.119.Final (java-archive)
            High CVE-2025-55163 GHSA-prj3-ccx8-p6x4 fixed in 4.1.124.Final

@catmsred
Copy link
Member

catmsred commented Oct 27, 2025
edited
Loading

Even the most recent version of ratis-thirdparty (1.0.10) is only on netty 4.1.127.Final: https://github.com/apache/ratis-thirdparty/blob/1.0.10/pom.xml (as is their tip of main).

Updated to such last month: apache/ratis-thirdparty#69

@catmsred
Copy link
Member

catmsred commented Oct 27, 2025
edited
Loading

Bumping ratis: apache/celeborn@b5c00ea

Note radis-thirdparty version is 1.0.8, but controlled in pom.xml by ratis version of 3.1.3; most recent version 3.2.0, which has ratis-thirdparty 1.0.9: https://github.com/apache/ratis/blob/ratis-3.2.0/pom.xml -- which is set in our pombump-properties already. This leads to netty-codec 4.1.119.

catmsred added a commit to catmsred/advisories that referenced this pull request Oct 27, 2025
@catmsred
adv(celeborn-0.6): GHSA-3p8m-j85q-pgmj, GHSA-fghv-69vj-qj49, GHSA-prj…
f860e65 
…3-ccx8-p6x4

celeborn-0.6 is newly version streamed and existing advisories under version 0.5
need to be updated for the new 0.6 version.  netty is brought in by ratis, which
has still not updated to a fixed version of netty.

Relates: wolfi-dev/os#69882, wolfi-dev/os#69911, chainguard-dev/CVE-Dashboard#31614, chainguard-dev/CVE-Dashboard#31634, chainguard-dev/CVE-Dashboard#31623
@catmsred
Copy link
Member

catmsred commented Oct 27, 2025

Advisory PR: wolfi-dev/advisories#24367

github-merge-queue bot pushed a commit to wolfi-dev/advisories that referenced this pull request Oct 27, 2025
@catmsred
adv celeborn 0.6/version streaming setup (#24367)
835b737 
* adv(celeborn-0.6): GHSA-3p8m-j85q-pgmj, GHSA-fghv-69vj-qj49, GHSA-prj3-ccx8-p6x4

celeborn-0.6 is newly version streamed and existing advisories under version 0.5
need to be updated for the new 0.6 version.  netty is brought in by ratis, which
has still not updated to a fixed version of netty.

Relates: wolfi-dev/os#69882, wolfi-dev/os#69911, chainguard-dev/CVE-Dashboard#31614, chainguard-dev/CVE-Dashboard#31634, chainguard-dev/CVE-Dashboard#31623

* adv(celeborn-0.6): GHSA-j288-q9x7-2f5v, GHSA-h46c-h94j-95f3, GHSA-wf8f-6423-gfxg, GHSA-qh8g-58pp-2wxh, GHSA-xwmg-2g98-w7v9

celeborn-0.6 is newly version streamed and existing advisories under version 0.5
need to be updated for the new 0.6 version. hadoop is currently brought in at
the most recent version (3.4.2) and all the subsequent transitive dependencies
of hadoop require an upstream fix.

Relates: chainguard-dev/CVE-Dashboard#31631, chainguard-dev/CVE-Dashboard#31625, chainguard-dev/CVE-Dashboard#31629, chainguard-dev/CVE-Dashboard#31627, chainguard-dev/CVE-Dashboard#31621
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Oct 27, 2025

This vulnerability remediation is stale and no longer needed. 👋

Advisory CGA-83gp-5pgm-4v7j has the latest event type of "pending-upstream-fix": https://github.com/wolfi-dev/advisories/blob/main/celeborn-0.6.advisories.yaml

ID:      CGA-83gp-5pgm-4v7j
Package: celeborn-0.6
Aliases: CVE-2025-55163 GHSA-prj3-ccx8-p6x4
Events:
  - "scan/v1" at 2025-10-23 18:37:49 UTC
  - "pending-upstream-fix" at 2025-10-27 13:57:35 UTC

@octo-sts octo-sts bot closed this Oct 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@catmsred catmsred

Labels

auto-approver-bot/initial-checks-failed automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. celeborn-0.6 GHSA-prj3-ccx8-p6x4 maven/pombump request-cve-remediation service:cve-pr-closer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catmsred