chore(hive): Bump dependencies ahead of 25.7.0 (#1100)

* chore(hive): Bump dependencies ahead of 25.7.0

* fix(java): Use vector 0.46.1

This was missed in #1098

* chore(hive): Patch postgres to resolve CVE-2024-1597

* chore(nix): Bump image-utils for newer bake

Note: Should have been done as part of #1118

* chore(nix): Bump nixpkgs and install nodejs_20 to keep pre-commit happy

I was getting the following error:

```
An unexpected error has occurred: CalledProcessError: command: ('/nix/store/15jzs4a11nqp4m1xvnw0rz9395anzjsm-nodejs-18.20.8/bin/node', '/run/current-system/sw/bin/npm', 'install', '--include=dev', '--include=prod', '--ignore-prepublish', '--no-progress', '--no-save')
return code: 1
stdout: (none)
stderr:
    npm error code EBADENGINE
    npm error engine Unsupported engine
    npm error engine Not compatible with your version of node/npm: markdownlint-cli@0.45.0
    npm error notsup Not compatible with your version of node/npm: markdownlint-cli@0.45.0
    npm error notsup Required: {"node":">=20"}
    npm error notsup Actual:   {"npm":"10.8.2","node":"v18.20.8"}
    npm error A complete log of this run can be found in: /home/nick/.npm/_logs/2025-05-28T10_40_07_463Z-debug-0.log
Check the log at /home/nick/.cache/pre-commit/pre-commit.log
```

* chore(hive): Revert hadoop and aws bumps, update changelog

Author: NickLarsenNZ

CHANGELOG.md

@@ -88,6 +88,8 @@ All notable changes to this project will be documented in this file.
 - zookeeper: reduce docker image size by removing the recursive chown/chmods in the final image ([#1043]).
 - Fixed two hardcoded username references ([#1052]).
 - ubi9-rust-builder: Use pinned `rustup` version ([#1121]).
+- hive: Patch for postgres CVE-2024-1597 ([#1100]).
+- bump image-tools (for `bake`) and nixpkgs (for `nodejs_20`, used by pre-commit) ([#1100]).
 
 ### Removed
 
@@ -133,6 +135,7 @@ All notable changes to this project will be documented in this file.
 [#1097]: https://github.com/stackabletech/docker-images/pull/1097
 [#1098]: https://github.com/stackabletech/docker-images/pull/1098
 [#1099]: https://github.com/stackabletech/docker-images/pull/1099
+[#1100]: https://github.com/stackabletech/docker-images/pull/1100
 [#1101]: https://github.com/stackabletech/docker-images/pull/1101
 [#1102]: https://github.com/stackabletech/docker-images/pull/1102
 [#1103]: https://github.com/stackabletech/docker-images/pull/1103

hive/Dockerfile

@@ -75,6 +75,10 @@ ln -s "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" /stackable/j
 
 # Add S3 Support for Hive (support for s3a://)
 cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/hadoop-aws-${HADOOP}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/
+
+# According to https://hadoop.apache.org/docs/stable/hadoop-aws/tools/hadoop-aws/aws_sdk_upgrade.html, the jar filename has changed from
+# aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar to bundle-${AWS_JAVA_SDK_BUNDLE}.jar. In future, you might need to do:
+# cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/
 cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/
 
 # Add Azure ABFS support (support for abfs://)

hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch

@@ -0,0 +1,47 @@
+From 85fab788520b73e514e52e0753d36dafdf513e5b Mon Sep 17 00:00:00 2001
+From: Nick Larsen <nick.larsen@stackable.tech>
+Date: Thu, 15 May 2025 14:14:28 +0200
+Subject: Fix CVE-2024-1597
+
+See https://github.com/stackabletech/vulnerabilities/issues/681
+
+pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using
+PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there
+is no vulnerability. A placeholder for a numeric value must be immediately
+preceded by a minus. There must be a second placeholder for a string value after
+the first placeholder; both must be on the same line. By constructing a matching
+string payload, the attacker can inject SQL to alter the query,bypassing the
+protections that parameterized queries bring against SQL Injection attacks.
+Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are
+affected.
+---
+ pom.xml                      | 2 +-
+ standalone-metastore/pom.xml | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pom.xml b/pom.xml
+index a4dfc8d1e4..699228cba3 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -178,7 +178,7 @@
+     <mariadb.version>2.5.0</mariadb.version>
+     <mssql.version>6.2.1.jre8</mssql.version>
+     <mysql.version>8.0.31</mysql.version>
+-    <postgres.version>42.5.1</postgres.version>
++    <postgres.version>42.5.6</postgres.version>
+     <oracle.version>21.3.0.0</oracle.version>
+     <opencsv.version>2.3</opencsv.version>
+     <orc.version>1.8.5</orc.version>
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index cd34884e3b..da84c8928e 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -72,7 +72,7 @@
+     <mariadb.version>2.5.0</mariadb.version>
+     <mssql.version>6.2.1.jre8</mssql.version>
+     <mysql.version>8.0.31</mysql.version>
+-    <postgres.version>42.5.1</postgres.version>
++    <postgres.version>42.5.6</postgres.version>
+     <oracle.version>21.3.0.0</oracle.version>
+     <dropwizard-metrics-hadoop-metrics2-reporter.version>0.1.2
+     </dropwizard-metrics-hadoop-metrics2-reporter.version>

hive/stackable/patches/4.0.1/0005-Fix-CVE-2024-1597.patch

@@ -0,0 +1,47 @@
+From 134b9e22475b3ae59eabbc0bf5c188912dc2393b Mon Sep 17 00:00:00 2001
+From: Nick Larsen <nick.larsen@stackable.tech>
+Date: Thu, 15 May 2025 14:14:28 +0200
+Subject: Fix CVE-2024-1597
+
+See https://github.com/stackabletech/vulnerabilities/issues/681
+
+pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using
+PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there
+is no vulnerability. A placeholder for a numeric value must be immediately
+preceded by a minus. There must be a second placeholder for a string value after
+the first placeholder; both must be on the same line. By constructing a matching
+string payload, the attacker can inject SQL to alter the query,bypassing the
+protections that parameterized queries bring against SQL Injection attacks.
+Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are
+affected.
+---
+ pom.xml                      | 2 +-
+ standalone-metastore/pom.xml | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pom.xml b/pom.xml
+index 1898adeebe..89cf93ed37 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -179,7 +179,7 @@
+     <mariadb.version>2.5.0</mariadb.version>
+     <mssql.version>6.2.1.jre8</mssql.version>
+     <mysql.version>8.0.31</mysql.version>
+-    <postgres.version>42.5.1</postgres.version>
++    <postgres.version>42.5.6</postgres.version>
+     <oracle.version>21.3.0.0</oracle.version>
+     <opencsv.version>2.3</opencsv.version>
+     <orc.version>1.8.5</orc.version>
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index 599ad33ed0..17dfe063e8 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -73,7 +73,7 @@
+     <mariadb.version>2.5.0</mariadb.version>
+     <mssql.version>6.2.1.jre8</mssql.version>
+     <mysql.version>8.0.31</mysql.version>
+-    <postgres.version>42.5.1</postgres.version>
++    <postgres.version>42.5.6</postgres.version>
+     <oracle.version>21.3.0.0</oracle.version>
+     <dropwizard-metrics-hadoop-metrics2-reporter.version>0.1.2
+     </dropwizard-metrics-hadoop-metrics2-reporter.version>

nix/sources.json

@@ -1,6 +1,7 @@
-{ sources ? import ./nix/sources.nix
-, nixpkgs ? sources.nixpkgs
-, pkgs ? import nixpkgs { }
+{
+  sources ? import ./nix/sources.nix,
+  nixpkgs ? sources.nixpkgs,
+  pkgs ? import nixpkgs { },
 }:
 
 let
@@ -9,6 +10,7 @@ in
 pkgs.mkShell {
   packages = [
     bake
+    pkgs.nodejs_20
   ];
 
   buildInputs = [