CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1

[ssainz]

Describe the bug CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1

To Reproduce Please check vulnerability section in : https://github.com/google/guava/issues/4011

Expected behavior Upgrading to v30.1.1 will mitigate this vulnerability.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: all
• Browser all
• Version all

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context Add any other context about the problem here.

[luocooong]

@ssainz Hello, It seems to be resolved. #2202

[cgivre]

Unless there is any objection, I'm going to close this as it should be resolved in Drill 1.19.

[ssainz]

Hello there @luocooong , @cgivre - defect not fixed. Please check this line:

https://github.com/apache/drill/blob/master/pom.xml#L49

shared guava still refers to guava 28.2 , thus, CVE-2020-8908 remains in Drill 1.19.

[luocooong]

@ssainz YES. Thanks for the reminder. @vdiravka has already started the process of updating Drill shaded Guava.

[pjfanning]

Can this be closed?

[cgivre]

Can this be closed?

I think this is still valid, but not sure. @vdiravka do you know the current status?

[ssainz]

Hi - the shared guava seems is still 28.2, then not fixed yet ~ https://github.com/apache/drill/blob/master/pom.xml#L52

<shaded.guava.version>28.2-jre</shaded.guava.version>

[pjfanning]

https://github.com/google/guava/issues/4011 affects a deprecated method and it only affects Drill if it Drill uses the deprecated method in the shaded org.apache.drill.shaded.guava.com.google.common.io.Files class. I see no evidence that Drill uses this method.