Upgrade snappy-java to 1.1.10.1 to fix CVE-2023-34453#1614
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the snappy-java dependency version in pom.xml from 1.1.7.2 to 1.1.10.1. While this upgrade addresses CVE-2023-34453, the selected version is still vulnerable to CVE-2023-43642. It is recommended to upgrade to version 1.1.10.5 instead to ensure all critical security vulnerabilities are resolved.
| <groupId>org.xerial.snappy</groupId> | ||
| <artifactId>snappy-java</artifactId> | ||
| <version>1.1.7.2</version> | ||
| <version>1.1.10.1</version> |
There was a problem hiding this comment.
While upgrading to 1.1.10.1 remediates CVE-2023-34453, this version remains vulnerable to CVE-2023-43642, which is a critical vulnerability where a missing upper bound check on chunk length can lead to java.lang.OutOfMemoryError or integer overflow. It is highly recommended to upgrade to 1.1.10.5 (or at least 1.1.10.4) to resolve both security issues.
| <version>1.1.10.1</version> | |
| <version>1.1.10.5</version> |
1 participant
This PR upgrades snappy-java to 1.1.10.1 to remediate CVE-2023-34453. Note: avro is already at version 1.11.4 in develop branch.