Skip to content

[Security] Bump opensearch from 2.5.0 to 2.11.1

dependabot requested to merge dependabot-maven-org.opensearch-opensearch-2.11.1 into main

Bumps opensearch from 2.5.0 to 2.11.1. This update includes a security fix.

Vulnerabilities fixed

OpenSearch StackOverflow vulnerability

Impact

A flaw was discovered in OpenSearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service.

The issue was identified by Elastic Engineering and corresponds to security advisory ESA-2023-14 (CVE-2023-31419).

Mitigation

Versions 1.3.14 and 2.11.1 contain a fix for this issue.

For more information

If you have any questions or comments about this advisory, please contact AWS/Amazon Security via our issue reporting page (https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Patched versions: 2.11.1 Affected versions: >= 2.0.0, < 2.11.1

Release notes

Sourced from opensearch's releases.

2.11.1

2023-11-20 Version 2.11.1 Release Notes

[2.11.1]

Changed

  • Use iterative approach to evaluate Regex.simpleMatch (#11060)

Fixed

  • [BUG] Disable sort optimization for HALF_FLOAT (#10999)
  • Adding version condition while adding geoshape doc values to the index, to ensure backward compatibility.(#11095)
  • Remove shadowJar from lang-painless module publication (#11369)

2.11.0

2023-10-12 Version 2.11.0 Release Notes

[2.11]

Added

  • Add coordinator level stats for search latency (#8386)
  • Add metrics for thread_pool task wait time (#9681)
  • Async blob read support for S3 plugin (#9694)
  • [Telemetry-Otel] Added support for OtlpGrpcSpanExporter exporter (#9666)
  • Async blob read support for encrypted containers (#10131)
  • Implement Visitor Design pattern in QueryBuilder to enable the capability to traverse through the complex QueryBuilder tree. (#10110)
  • Add capability to restrict async durability mode for remote indexes (#10189)
  • Add Doc Status Counter for Indexing Engine (#4562)
  • Add unreferenced file cleanup count to merge stats (#10204)
  • Configurable merge policy for index with an option to choose from LogByteSize and Tiered merge policy (#9992)
  • [Remote Store] Add support to restrict creation & deletion if system repository and mutation of immutable settings of system repository (#9839)
  • Improve compressed request handling (#10261)

Dependencies

  • Bump JNA version from 5.5 to 5.13 (#9963)
  • Bump peter-evans/create-or-update-comment from 2 to 3 (#9575)
  • Bump actions/checkout from 2 to 4 (#9968)
  • Bump OpenTelemetry from 1.26.0 to 1.30.1 (#9950)
  • Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 ([#9973, #9972](opensearch-project/OpenSearch#9973, opensearch-project/OpenSearch#9972))
  • Bump com.google.cloud:google-cloud-core-http from 2.21.1 to 2.23.0 (#9971)
  • Bump mockito from 5.4.0 to 5.5.0 (#10022)
  • Bump bytebuddy from 1.14.3 to 1.14.7 (#10022)
  • Bump com.zaxxer:SparseBitSet from 1.2 to 1.3 (#10098)
  • Bump tibdex/github-app-token from 1.5.0 to 2.1.0 (#10125)
  • Bump org.wiremock:wiremock-standalone from 2.35.0 to 3.1.0 (#9752)
  • Bump org.eclipse.jgit from 6.5.0 to 6.7.0 (#10147)
  • Bump codecov/codecov-action from 2 to 3 (#10209)
  • Bump com.google.http-client:google-http-client-jackson2 from 1.43.2 to 1.43.3 (#10126)
  • Bump org.xerial.snappy:snappy-java from 1.1.10.3 to 1.1.10.5 (#10206, #10299)
  • Bump org.bouncycastle:bcpkix-jdk15to18 from 1.75 to 1.76 (10219)`
  • Bump org.bouncycastle:bcprov-jdk15to18 from 1.75 to 1.76 (10219)`

... (truncated)

Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports