Skip to content

DRILL-8531: Update Various Libraries due to CVEs #3016

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 22 commits into from
Sep 16, 2025
Merged

DRILL-8531: Update Various Libraries due to CVEs #3016

merged 22 commits into from
Sep 16, 2025

Conversation

cgivre
Copy link
Contributor

@cgivre cgivre commented Aug 24, 2025
edited
Loading

DRILL-8531: Update Various Libraries due to CVEs

Description

Updates various components due to CVEs. This PR also does some clean up to the Apache Phoenix pom.xml file to allow us to update Zookeeper. There were some transient dependency issues in that pom with the HBase client. Now everything is running on the same version and we should be able to upgrade Zookeeper to the latest version without issues.

  • Excludes maven-compat in tools module.
  • Bumps parquet to version 1.15.2
  • Bump Zookeeper to version 3.9.3.
  • Bump Apache Phoenix to version 5.2.1
  • Bump Apache Derby to 10.17.0.1
  • Bump Kerby to 2.0.3

This PR can close DRILL-8514 and #2972.

As part of updating Phoenix, I had to refactor the test infrastructure to use HBase version 2.6 which is the version which ships with Drill.

Documentation

No user facing changes.

Testing

Ran existing unit tests.

@cgivre cgivre self-assigned this Aug 24, 2025
@cgivre cgivre added code-cleanup minor-update security dependencies backport-to-stable This bug fix is applicable to the latest stable release and should be considered for inclusion there labels Aug 24, 2025
@cgivre cgivre changed the title Update Various Libraries due to CVEs DRILL-8531: Update Various Libraries due to CVEs Aug 24, 2025
@cgivre
Copy link
Contributor Author

cgivre commented Aug 24, 2025

@pjfanning I pulled your code for #2972 into this PR so that we can get the Phoenix update.

@cgivre cgivre requested a review from jnturton August 25, 2025 18:03
@cgivre cgivre mentioned this pull request Aug 25, 2025
Closed
@cgivre cgivre requested a review from pjfanning August 25, 2025 23:10
jnturton
jnturton reviewed Sep 1, 2025
View reviewed changes
@cgivre
Copy link
Contributor Author

cgivre commented Sep 2, 2025

So I discovered that Phoenix doesn't like Hadoop 3.4. Stand by

@cgivre
Copy link
Contributor Author

cgivre commented Sep 9, 2025

@pjfanning @jnturton I think this PR is ready.

jnturton
jnturton approved these changes Sep 16, 2025
View reviewed changes
Copy link
Contributor

@jnturton jnturton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work on the tests!

@cgivre cgivre merged commit ee4c023 into apache:master Sep 16, 2025
7 checks passed
@cgivre cgivre deleted the update_more_libs branch September 16, 2025 16:55
cgivre added a commit to cgivre/drill that referenced this pull request Sep 18, 2025
@cgivre
DRILL-8531: Update Various Libraries due to CVEs (apache#3016)
9c3b460
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jnturton jnturton jnturton approved these changes

@pjfanning pjfanning Awaiting requested review from pjfanning

Assignees

@cgivre cgivre

Labels
backport-to-stable This bug fix is applicable to the latest stable release and should be considered for inclusion there code-cleanup dependencies security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cgivre @jnturton @pjfanning