[Security] 3.0.2 and 3.1.1 has 2 fixable security vulnerabilities.

[compuguy]

Search before asking

• [X] I searched in the issues and found nothing similar.

Version

The second candidate for v3.0.2 and release 3.1.1.

Minimal reproduce step

Used a container security scanner included with Red Hat Advanced Cluster Security for Kubernetes, Stackrox Scanner.

What did you expect to see?

Vulnerabilities that should have been fixed in 3.0.2 are showing up with the included version of Trino version 368.

What did you see instead?

• 2 Vulnerabilities that can be fixed CVE-2021-42550 - Logback-core - currently using version 1.2.3 CVE-2023-3635 - Okio - currently using version 3.14.9

• 1 of them maybe a false positive: CVE-2023-4586 - Netty - currently using 4.1.100.final CVE-2023-0833 - Okhttp - currently using version 1.17.2 (Talks about RH AMQ-Streams; may not be relevant to Pulsar)?

Anything else?

Some of this has been mentioned in #18348 previously. Issue should not be tagged as type/bug but component/security.

Should upgrade Trino from 368 to 430, if possible.

Are you willing to submit a PR?

• [ ] I'm willing to submit a PR!

[Technoboy-]

I will try to upgrade and test.

[compuguy]

Just to update this issue, I'm not sure if CVE-2023-0833 is related to Pulsar. It mentions a vulnerability with Red Hat's AMQ-Streams,....