From b9e532fc9397f9bade393adeb92dfce94e5fd857 Mon Sep 17 00:00:00 2001 From: fengyubiao Date: Sat, 1 Jul 2023 01:08:30 +0800 Subject: [PATCH 1/2] [fix][sec] Upgrade Guava to 32.0.1 to address CVE-2023-2976 --- buildtools/pom.xml | 2 +- distribution/server/src/assemble/LICENSE.bin.txt | 2 +- distribution/shell/src/assemble/LICENSE.bin.txt | 2 +- pom.xml | 2 +- pulsar-sql/presto-distribution/LICENSE | 2 +- pulsar-sql/presto-distribution/pom.xml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/buildtools/pom.xml b/buildtools/pom.xml index 8d10f19a80ff8..28cbfd92ce62b 100644 --- a/buildtools/pom.xml +++ b/buildtools/pom.xml @@ -49,7 +49,7 @@ 3.1.2 4.1.94.Final 4.2.3 - 32.0.0-jre + 32.0.1-jre 1.10.12 2.0 3.12.4 diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index be97087edb75a..58f63b676fb8c 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -265,7 +265,7 @@ The Apache Software License, Version 2.0 - com.google.code.gson-gson-2.8.9.jar - io.gsonfire-gson-fire-1.8.5.jar * Guava - - com.google.guava-guava-32.0.0-jre.jar + - com.google.guava-guava-32.0.1-jre.jar - com.google.guava-failureaccess-1.0.1.jar - com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar * J2ObjC Annotations -- com.google.j2objc-j2objc-annotations-1.3.jar diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt b/distribution/shell/src/assemble/LICENSE.bin.txt index 185b66f6cb416..d3b4952ea4f24 100644 --- a/distribution/shell/src/assemble/LICENSE.bin.txt +++ b/distribution/shell/src/assemble/LICENSE.bin.txt @@ -326,7 +326,7 @@ The Apache Software License, Version 2.0 * Gson - gson-2.8.9.jar * Guava - - guava-32.0.0-jre.jar + - guava-32.0.1-jre.jar - failureaccess-1.0.1.jar - listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar * J2ObjC Annotations -- j2objc-annotations-1.3.jar diff --git a/pom.xml b/pom.xml index 254609a6f07cb..4f9601e9be508 100644 --- a/pom.xml +++ b/pom.xml @@ -202,7 +202,7 @@ flexible messaging model and an intuitive client API. 2.10.2 3.3.5 2.4.16 - 32.0.0-jre + 32.0.1-jre 1.0 0.16.1 6.2.8 diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE index 15f20ae7e4ad6..4e0744c9f03c8 100644 --- a/pulsar-sql/presto-distribution/LICENSE +++ b/pulsar-sql/presto-distribution/LICENSE @@ -221,7 +221,7 @@ The Apache Software License, Version 2.0 - jackson-module-jaxb-annotations-2.14.2.jar - jackson-module-jsonSchema-2.14.2.jar * Guava - - guava-32.0.0-jre.jar + - guava-32.0.1-jre.jar - listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar - failureaccess-1.0.1.jar * Google Guice diff --git a/pulsar-sql/presto-distribution/pom.xml b/pulsar-sql/presto-distribution/pom.xml index 8335aa3603f63..790061c4b7d6d 100644 --- a/pulsar-sql/presto-distribution/pom.xml +++ b/pulsar-sql/presto-distribution/pom.xml @@ -37,7 +37,7 @@ 2.6 0.0.12 3.0.5 - 32.0.0-jre + 32.0.1-jre 2.12.1 2.5.1 4.0.1 From e41a81938812779c7131c83862d52fbf68427dc8 Mon Sep 17 00:00:00 2001 From: fengyubiao Date: Tue, 4 Jul 2023 16:51:29 +0800 Subject: [PATCH 2/2] change guava version to 32.1.1-jre --- buildtools/pom.xml | 2 +- distribution/server/src/assemble/LICENSE.bin.txt | 2 +- distribution/shell/src/assemble/LICENSE.bin.txt | 2 +- pom.xml | 2 +- pulsar-sql/presto-distribution/LICENSE | 2 +- pulsar-sql/presto-distribution/pom.xml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/buildtools/pom.xml b/buildtools/pom.xml index 28cbfd92ce62b..836e1c5cb5f0e 100644 --- a/buildtools/pom.xml +++ b/buildtools/pom.xml @@ -49,7 +49,7 @@ 3.1.2 4.1.94.Final 4.2.3 - 32.0.1-jre + 32.1.1-jre 1.10.12 2.0 3.12.4 diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index 58f63b676fb8c..1828bdb71005b 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -265,7 +265,7 @@ The Apache Software License, Version 2.0 - com.google.code.gson-gson-2.8.9.jar - io.gsonfire-gson-fire-1.8.5.jar * Guava - - com.google.guava-guava-32.0.1-jre.jar + - com.google.guava-guava-32.1.1-jre.jar - com.google.guava-failureaccess-1.0.1.jar - com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar * J2ObjC Annotations -- com.google.j2objc-j2objc-annotations-1.3.jar diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt b/distribution/shell/src/assemble/LICENSE.bin.txt index d3b4952ea4f24..e1155edb5ea14 100644 --- a/distribution/shell/src/assemble/LICENSE.bin.txt +++ b/distribution/shell/src/assemble/LICENSE.bin.txt @@ -326,7 +326,7 @@ The Apache Software License, Version 2.0 * Gson - gson-2.8.9.jar * Guava - - guava-32.0.1-jre.jar + - guava-32.1.1-jre.jar - failureaccess-1.0.1.jar - listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar * J2ObjC Annotations -- j2objc-annotations-1.3.jar diff --git a/pom.xml b/pom.xml index 4f9601e9be508..43ba5c387d1d5 100644 --- a/pom.xml +++ b/pom.xml @@ -202,7 +202,7 @@ flexible messaging model and an intuitive client API. 2.10.2 3.3.5 2.4.16 - 32.0.1-jre + 32.1.1-jre 1.0 0.16.1 6.2.8 diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE index 4e0744c9f03c8..fe14b81adf247 100644 --- a/pulsar-sql/presto-distribution/LICENSE +++ b/pulsar-sql/presto-distribution/LICENSE @@ -221,7 +221,7 @@ The Apache Software License, Version 2.0 - jackson-module-jaxb-annotations-2.14.2.jar - jackson-module-jsonSchema-2.14.2.jar * Guava - - guava-32.0.1-jre.jar + - guava-32.1.1-jre.jar - listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar - failureaccess-1.0.1.jar * Google Guice diff --git a/pulsar-sql/presto-distribution/pom.xml b/pulsar-sql/presto-distribution/pom.xml index 790061c4b7d6d..1ac764a3c64d9 100644 --- a/pulsar-sql/presto-distribution/pom.xml +++ b/pulsar-sql/presto-distribution/pom.xml @@ -37,7 +37,7 @@ 2.6 0.0.12 3.0.5 - 32.0.1-jre + 32.1.1-jre 2.12.1 2.5.1 4.0.1