Uploaded image for project: 'Blazegraph (by SYSTAP)'
  1. Blazegraph (by SYSTAP)
  2. BLZG-9052

Upgrade version of icu4j to remove security vulnerability

    Details

      Description

      Hi,

      Currently within the database repository the component com.ibm.icu:icu4j:4.8 has a security vulnerability with CVE ID CVE-2011-4599 which allows arbitrary code execution.

      Would it be possible to upgrade with component to a version which doesn't show this vulnerability?

      Thanks,
      Niall

        Activity

        Hide
        beebs Brad Bebee added a comment -

        Yes, we can likely get this into our coming 2.1.5 / 2.2.0 release.

        Show
        beebs Brad Bebee added a comment - Yes, we can likely get this into our coming 2.1.5 / 2.2.0 release.
        Hide
        niallmac Niall Maclean added a comment -

        Is there currently an estimated release date for either of those versions?

        Show
        niallmac Niall Maclean added a comment - Is there currently an estimated release date for either of those versions?
        Hide
        beebs Brad Bebee added a comment -

        I'm running 59.1 through CI. http://repo1.maven.org/maven2/com/ibm/icu/icu4j/59.1/

        We could push a snapshot in a few days, and expect the release by the end of October.

        https://github.com/blazegraph/bigdata/pull/515

        Show
        beebs Brad Bebee added a comment - I'm running 59.1 through CI. http://repo1.maven.org/maven2/com/ibm/icu/icu4j/59.1/ We could push a snapshot in a few days, and expect the release by the end of October. https://github.com/blazegraph/bigdata/pull/515
        Hide
        waynedgrant Wayne Grant added a comment -

        How are you looking for for an end of October release Brad?

        Show
        waynedgrant Wayne Grant added a comment - How are you looking for for an end of October release Brad?
        Hide
        beebs Brad Bebee added a comment -

        This change will be require a data migration/update using the option below.

        /**
             * <strong>WARNING - The use of this option is dangerous.</strong> This
             * option may be used to update the {@link ICUVersionRecord} associated with
             * the journal. ICU provides a Unicode sort key generation service for
             * bigdata. Unicode sort keys are used in many indices, including the
             * {@link Name2Addr} index. If the new ICU version produces Unicode sort
             * keys which are not binary compatible with the Journal, then your data may
             * become inaccessible since you will be unable to probe the
             * {@link Name2Addr} index to locate named indices. The same problem can
             * manifest with application indices which use Unicode sort keys.
             */
            String UPDATE_ICU_VERSION = AbstractJournal.class.getName()+".updateICUVersion";
        
        Show
        beebs Brad Bebee added a comment - This change will be require a data migration/update using the option below. /** * <strong>WARNING - The use of this option is dangerous.</strong> This * option may be used to update the {@link ICUVersionRecord} associated with * the journal. ICU provides a Unicode sort key generation service for * bigdata. Unicode sort keys are used in many indices, including the * {@link Name2Addr} index. If the new ICU version produces Unicode sort * keys which are not binary compatible with the Journal, then your data may * become inaccessible since you will be unable to probe the * {@link Name2Addr} index to locate named indices. The same problem can * manifest with application indices which use Unicode sort keys. */ String UPDATE_ICU_VERSION = AbstractJournal.class.getName()+ ".updateICUVersion" ;
        Hide
        beebs Brad Bebee added a comment -

        You can apply BLZG-9052.patch and use it to create new journals. For existing journals, you need to add the parameter below to the java invocation.

        -Dcom.bigdata.journal.AbstractJournal.updateICUVersion=true
        
        Show
        beebs Brad Bebee added a comment - You can apply BLZG-9052.patch and use it to create new journals. For existing journals, you need to add the parameter below to the java invocation. -Dcom.bigdata.journal.AbstractJournal.updateICUVersion= true

          People

          • Assignee:
            beebs Brad Bebee
            Reporter:
            niallmac Niall Maclean
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated: