CVE-2021-29425

Advisory

Graphscope 0.7.0 updates its dependency 'Apache Commons IO' to v2.7 to include a security fix.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

We are glad to announce the availability of GraphScope v0.7. This release includes major updates for the persistent graph store in GraphScope, providing APIs for real-time graph updates (inserts and deletes of individual vertices and edges). It also focuses on user-friendly improvements, security issues, code quality, and a series of bug fixes.

We highlight the following improvements included in this release:

1. Apart from bulk loading, **this release introduces a set of APIs for real-time graph updates.** Currently, these APIs have supported the following functions:

- Insert/delete one or multiple vertices/edges;
- Update properties of a specific vertex/edge.

More details can refer to [this](https://github.com/alibaba/GraphScope/blob/main/docs/persistent_graph_store.rst#realtime-write).

2. **User-friendly improvement**

- Revise error handling in GraphScope and improve all error messages reported to users;
- Add a [document](https://github.com/alibaba/GraphScope/blob/main/docs/persistent_graph_store.rst) to describe persistent graph store in GraphScope;
- The logs in the `err` channel are always fetched to the client for debugging;
- The [bulk-loading tool](https://github.com/alibaba/GraphScope/releases/download/v0.7.0/graphscope_store_data_load.tar.gz) of the persistent graph store is released to help load graphs into the store;
- Revise some descriptions for APIs in documents.

3. **Optimizations and enhancements**

- Using [zetcd](https://github.com/etcd-io/zetcd) to replace zookeeper in the graph interactive engine;
- Update third-party dependencies to address some security issues;
- More test coverages for GAIA and client.
- Integrate GIE GraphManager into Coordinator.
- During `sess.gremlin`, the pod will not be created dynamically for reducing the response time

**Some Breaking API Changes:**

- Remove GIE GraphManager role.
- Remove zookeeper and replace with zetcd.
- `k8s_gie_graph_manager_image` `k8s_gie_graph_manager_cpu` `k8s_gie_graph_manager_mem` Deprecated.
- `k8s_zookeeper_image` `k8s_zookeeper_cpu` `k8s_zookeeper_mem` Deprecated.
- `k8s_gie_gremlin_server_cpu` `k8s_gie_gremlin_server_mem` Deprecated.

For more detailed improvements that have been made in this release, please refer to the complete changelog.

Commits
- [82c9aab3]: Fixes io loop event exeception by closing gremlin python client (788) (DongZe Li)
- [b152c3e2]: Fix inaccurate internal error code (787) (Siyuan Zhang)
- [dc8f214c]: Fix restart test of GraphScope-Store(784) (tianliplus)
- [42a9e8ef]: Fixes the condition of whether vineyard exists. (782) (Tao He)
- [352be042]: Install GraphScope into /opt/graphscope and link to the /usr/local (767) (DongZe Li)
- [74b13bf1]: Vineyard is no longer a hard dependency for the client package. (780) (Tao He)
- [684522a4]: Revise error messages and handling of GRPC exception. (751) (Siyuan Zhang)
- [f4905b2f]: add doc for persistent graph store (765) (tianliplus)
- [54e32adc]: Config coordinator logger to handle warning level to stderr (764) (Weibin Zeng)
- [a0a1165e]: Fixes the sphinx and docutil version to make sure lists are rendered. (766) (Tao He)
- [8e21257c]: Fix pegasus service to run multiple executors (754) (shirly121)
- [845ba6d0]: Output the graphscope-store log to both console and file (749) (Weibin Zeng)
- [96fba3d1]: Add a ci to test loading graph from HDFS (750) (Weibin Zeng)
- [1e602fc2]: Remove the legacy code related to graph manager and make default user 'graphscope' in graphscope-store image (748) (DongZe Li)
- [e6861434]: Fetch stdout and stderr log of grape engine separately (744) (Weibin Zeng)
- [22db6d95]: Enables GAIA to run on the Kubernetes environment (732) (DongZe Li)
- [4508158c]: Fix edge id encoding for v2 (743) (shirly121)
- [9e8e066d]: Implement realtime write API in Python side, and add tests in CI. (721) (Siyuan Zhang)
- [e013e3b1]: Add unified Tinkerpop version variable to reduce duplicate constant in pom (735) (shirly121)
- [741ccfe4]: Provide a method to print human readable schema for Context. (734) (Siyuan Zhang)
- [434b8729]: Upgrade tinkerpop & groovy (714) (shirly121)
- [f1307ef7]: Replace zookeeper with zetcd+etcd (722) (Weibin Zeng)
- [61bdc84a]: Allow the session to be reconnectable, even not reaching dangling timeout (733) (Tao He)
- [0b341e17]: Update README by adding publications. (Jingbo Xu)
- [fd2d0429]: Push docs for tags as well. (728) (Tao He)
- [4c82d024]: Remove unused files (720) (BingqingLyu)
- [9e9a52de]: Add notes for self-hosted runner (723) (Siyuan Zhang)
- [cea8fb1a]: Fix gremlin test hang by move gss-test to self-hosted runner (717) (tianliplus)
- [ea450f03]: Fix store warning (718) (tianliplus)
- [d18a82e8]: Improve Cython API doc by adding 'graphscope.declare' 'graphscope.Vertex' in cython_sdk.rst (719) (DongZe Li)
- [07ed08ea]: Make I/O a lazy DAGNode in the coordinator (715) (DongZe Li)
- [358fc7de]: Fixes for CXX_FLAGS detection on Linux with LLVM compiler. (716) (Tao He)
- [fe4837b7]: Adapt to latest vineyard: the `Create()` API has changed. (713) (Tao He)
- [9405412f]: Add GAIA on vineyard test (708) (shirly121)
- [e0927741]: Implement degree assortativity coefficient app (492) (Xinger)
- [3105127a]: Missing close method in RPC client. (704) (DongZe Li)
- [fe37bee5]: remove unused file (705) (shirly121)
- [c07654de]: Remove dependency of v2 from gaia-adaptor (702) (shirly121)
- [66706e72]: Fix docker-nightly ci with short sha (703) (Weibin Zeng)
- [b1c914a0]: Fix variable names when starting GIE instance (700) (Siyuan Zhang)
- [14eee011]: Update cmake minimum version to 3.1 for gie (699) (Weibin Zeng)
- [ce261cb8]: An ad-hoc solution to find frontend port from log file (693) (Weibin Zeng)
- [6ce1e8ac]: Add BiparteGraphSage tutorial to show use of categorical_attrs_desc (691) (Weibin Zeng)
- [f8fa4f6f]: Fix docker nightly ci: schedule time and gstest clean (688) (Weibin Zeng)
- [16c0c722]: Upgrade the graphlearn submodule to fixes a "get attribute" bug in GLE. (687) (Tao He)
- [521e1957]: Fix failure of launching learning engine by allowing pickle None value (686) (DongZe Li)
- [c4355911]: remove pom (680) (tianliplus)
- [35b2fdfe]: Improve calculateQ efficiency in Louvain (614) (Siyuan Zhang)
- [79ec8008]: Upgrade dependency (674) (shirly121)
- [40ad8cfd]: fix sending unvalidated data to a web browser (671) (shirly121)
- [3ec9bdb5]: Add a schedule ci to test docker file in k8s (634) (Weibin Zeng)
- [b9183682]: upgrade smallvec to 0.6.14 as recommended (675) (BingqingLyu)
- [8c28beb3]: support java16 && upgrade rust toolchain (668) (tianliplus)
- [c90a258a]: Fix warnings in pegasus and runtime in interactive engine (670) (BingqingLyu)
- [adb04c92]: refine gremlin test (663) (tianliplus)
- [bd877ffe]: upgrade crossbeam-channel from 0.3.x to 0.4.4 as suggested (656) (BingqingLyu)
- [fcca5f2a]: update image links (658) (Siyuan Zhang)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425