From 1c0fc175a73f60ababb6fba26472c3d5df7ebadf Mon Sep 17 00:00:00 2001
From: Hazmi <ialhazmim@gmail.com>
Date: Mon, 14 Oct 2024 13:24:59 +0300
Subject: [PATCH] Upgrade avro & its dependencies to resolve CVEs

Upgrade avro & its dependencies to resolve CVE-2024-47561
If applied, this will:
Upgrade avro to version 1.11.4
Upgrade commons-compress to version 1.26.2
Upgrade commons-codec to version 1.17.0
Upgrade commons-lang3 to version 3.14.0
Upgrade commons-io to version 2.16.1
---
 pom.xml                 | 14 ++++++++++----
 presto-accumulo/pom.xml |  1 -
 presto-bigquery/pom.xml |  8 +-------
 3 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/pom.xml b/pom.xml
index e0b1375ef2c68..31bf09653c8d5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -79,8 +79,8 @@
         <dep.guava.version>32.1.0-jre</dep.guava.version>
         <dep.jackson.version>2.11.0</dep.jackson.version>
         <dep.j2objc.version>2.8</dep.j2objc.version>
-        <dep.avro.version>1.11.3</dep.avro.version>
-        <dep.commons.compress.version>1.23.0</dep.commons.compress.version>
+        <dep.avro.version>1.11.4</dep.avro.version>
+        <dep.commons.compress.version>1.26.2</dep.commons.compress.version>
         <dep.protobuf-java.version>3.25.5</dep.protobuf-java.version>
 
         <!--
@@ -314,7 +314,7 @@
             <dependency>
                 <groupId>commons-io</groupId>
                 <artifactId>commons-io</artifactId>
-                <version>2.16.0</version>
+                <version>2.16.1</version>
             </dependency>
 
             <dependency>
@@ -1742,7 +1742,7 @@
             <dependency>
                 <groupId>commons-codec</groupId>
                 <artifactId>commons-codec</artifactId>
-                <version>1.15</version>
+                <version>1.17.0</version>
             </dependency>
 
             <dependency>
@@ -2001,6 +2001,12 @@
                 <version>2.6.2</version>
             </dependency>
 
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-lang3</artifactId>
+                <version>3.14.0</version>
+            </dependency>
+
             <dependency>
                 <groupId>com.orange.redis-embedded</groupId>
                 <artifactId>embedded-redis</artifactId>
diff --git a/presto-accumulo/pom.xml b/presto-accumulo/pom.xml
index d4501e67070cb..4a543ed45b66a 100644
--- a/presto-accumulo/pom.xml
+++ b/presto-accumulo/pom.xml
@@ -232,7 +232,6 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>3.4</version>
         </dependency>
 
         <dependency>
diff --git a/presto-bigquery/pom.xml b/presto-bigquery/pom.xml
index 2b11bf1428b42..84f2b53be2c32 100644
--- a/presto-bigquery/pom.xml
+++ b/presto-bigquery/pom.xml
@@ -47,7 +47,7 @@
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-lang3</artifactId>
-                <version>3.11</version>
+                <version>3.14.0</version>
             </dependency>
 
             <dependency>
@@ -74,12 +74,6 @@
                 <version>0.22.2</version>
             </dependency>
 
-            <dependency>
-                <groupId>commons-codec</groupId>
-                <artifactId>commons-codec</artifactId>
-                <version>1.13</version>
-            </dependency>
-
             <dependency>
                 <groupId>io.grpc</groupId>
                 <artifactId>grpc-context</artifactId>