adds patch for CVE-2023-42503 that wolfictl probably missed due to ea…

…rlier advisory Signed-off-by: Mritunjay <[email protected]>
wolfi-dev · Feb 19, 2024 · 382e497 · 382e497
1 parent 9f7fa26
commit 382e497
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 14 deletions.
diff --git a/opensearch-2.yaml b/opensearch-2.yaml
@@ -5,7 +5,7 @@
 package:
   name: opensearch-2
   version: 2.11.1
-  epoch: 7 # Remove CVE-2022-45146 patch when bumping to 2.12 or later
+  epoch: 8 # Remove CVE-2022-45146 patch when bumping to 2.12 or later
   description: Open source distributed and RESTful search engine.
   copyright:
     - license: Apache-2.0
@@ -73,7 +73,7 @@ data:
       index-management: ""
       job-scheduler: ""
       k-nn: ""
-      ml-commons: "CVE-2023-51074.patch"
+      ml-commons: "ml-commons.patch" # Handles both CVE-2023-51074, CVE-2023-42503
       neural-search: "CVE-2023-5072.patch"
       notifications: ""
       observability: ""

diff --git a/opensearch-2/CVE-2023-51074.patch b/opensearch-2/CVE-2023-51074.patch
diff --git a/opensearch-2/ml-commons.patch b/opensearch-2/ml-commons.patch
@@ -0,0 +1,37 @@
+diff --git a/ml-algorithms/build.gradle b/ml-algorithms/build.gradle
+index 3561472..050ea67 100644
+--- a/ml-algorithms/build.gradle
++++ b/ml-algorithms/build.gradle
+@@ -62,7 +62,7 @@ dependencies {
+     implementation 'software.amazon.awssdk:auth'
+     implementation 'software.amazon.awssdk:apache-client'
+     implementation 'com.amazonaws:aws-encryption-sdk-java:2.4.1'
+-    implementation 'com.jayway.jsonpath:json-path:2.8.0'
++    implementation 'com.jayway.jsonpath:json-path:2.9.0'
+     implementation group: 'org.json', name: 'json', version: '20231013'
+ }
+
+diff --git a/ml-algorithms/build.gradle b/ml-algorithms/build.gradle
+index 35614721..74b0acbf 100644
+--- a/ml-algorithms/build.gradle
++++ b/ml-algorithms/build.gradle
+@@ -68,6 +68,7 @@ dependencies {
+
+ configurations.all {
+     resolutionStrategy.force 'com.google.protobuf:protobuf-java:3.21.9'
++    resolutionStrategy.force 'org.apache.commons:commons-compress:1.25.0'
+ }
+
+ jacocoTestReport {
+diff --git a/plugin/build.gradle b/plugin/build.gradle
+index af976e6f..3dc408a8 100644
+--- a/plugin/build.gradle
++++ b/plugin/build.gradle
+@@ -330,6 +330,7 @@ configurations.all {
+     resolutionStrategy.force 'org.apache.httpcomponents:httpclient:4.5.14'
+     resolutionStrategy.force 'commons-codec:commons-codec:1.15'
+     resolutionStrategy.force 'org.slf4j:slf4j-api:1.7.36'
++    resolutionStrategy.force 'org.apache.commons:commons-compress:1.25.0'
+ }
+
+ apply plugin: 'com.netflix.nebula.ospackage'