From 6704a0288a375f9bb55656d8230287d8363d18fb Mon Sep 17 00:00:00 2001 From: Lari Hotari Date: Thu, 3 Oct 2024 18:43:11 +0300 Subject: [PATCH 1/4] fix][sec][branch-3.0] Upgrade protobuf-java to 3.25.5 (#23356) (#23357) (cherry picked from commit c8bb115236cfb6466f81515e4b8c6f3eb84551bf) --- distribution/server/src/assemble/LICENSE.bin.txt | 4 ++-- distribution/shell/src/assemble/LICENSE.bin.txt | 0 pom.xml | 2 +- pulsar-sql/presto-distribution/LICENSE | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) create mode 100644 distribution/shell/src/assemble/LICENSE.bin.txt diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index 878df7506fd5d..848b14dddbcaa 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -545,8 +545,8 @@ MIT License - com.auth0-jwks-rsa-0.22.0.jar Protocol Buffers License * Protocol Buffers - - com.google.protobuf-protobuf-java-3.19.6.jar -- licenses/LICENSE-protobuf.txt - - com.google.protobuf-protobuf-java-util-3.19.6.jar -- licenses/LICENSE-protobuf.txt + - com.google.protobuf-protobuf-java-3.25.5.jar -- licenses/LICENSE-protobuf.txt + - com.google.protobuf-protobuf-java-util-3.25.5.jar -- licenses/LICENSE-protobuf.txt CDDL-1.1 -- licenses/LICENSE-CDDL-1.1.txt * Java Annotations API diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt b/distribution/shell/src/assemble/LICENSE.bin.txt new file mode 100644 index 0000000000000..e69de29bb2d1d diff --git a/pom.xml b/pom.xml index bad3e68627774..788eaaf1626f2 100644 --- a/pom.xml +++ b/pom.xml @@ -133,7 +133,7 @@ flexible messaging model and an intuitive client API. 0.5.0 1.14.12 1.17 - 3.19.6 + 3.25.5 ${protobuf3.version} 1.45.1 1.41.0 diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE index 49ffc9a2748ff..a97157ecc78f6 100644 --- a/pulsar-sql/presto-distribution/LICENSE +++ b/pulsar-sql/presto-distribution/LICENSE @@ -483,8 +483,8 @@ The Apache Software License, Version 2.0 Protocol Buffers License * Protocol Buffers - - protobuf-java-3.19.6.jar - - protobuf-java-util-3.19.6.jar + - protobuf-java-3.25.5.jar + - protobuf-java-util-3.25.5.jar - proto-google-common-protos-2.0.1.jar BSD 3-clause "New" or "Revised" License From f3ffeffc1275241c0547e083ba2f9df3de00110b Mon Sep 17 00:00:00 2001 From: Lari Hotari Date: Fri, 4 Oct 2024 02:15:47 +0300 Subject: [PATCH 2/4] [fix][sec] Upgrade Avro to 1.11.4 to address CVE-2024-47561 (#23394) (cherry picked from commit 1d2fc73f2f327bc300e934a7555840a8c0f88faa) --- distribution/server/src/assemble/LICENSE.bin.txt | 4 ++-- pom.xml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index 848b14dddbcaa..8bb4ebdaa92a8 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -470,8 +470,8 @@ The Apache Software License, Version 2.0 * zt-zip - org.zeroturnaround-zt-zip-1.17.jar * Apache Avro - - org.apache.avro-avro-1.10.2.jar - - org.apache.avro-avro-protobuf-1.10.2.jar + - org.apache.avro-avro-1.11.4.jar + - org.apache.avro-avro-protobuf-1.11.4.jar * Apache Curator - org.apache.curator-curator-client-5.1.0.jar - org.apache.curator-curator-framework-5.1.0.jar diff --git a/pom.xml b/pom.xml index 788eaaf1626f2..944936e2a97ca 100644 --- a/pom.xml +++ b/pom.xml @@ -148,7 +148,7 @@ flexible messaging model and an intuitive client API. 3.4.0 5.1.1 1.12.262 - 1.10.2 + 1.11.4 2.10.5 2.5.0 5.1.0 From e4be6d5c2bb693295bc7d64e193fce1d22029e25 Mon Sep 17 00:00:00 2001 From: nikhil-ctds Date: Fri, 4 Oct 2024 15:04:12 +0530 Subject: [PATCH 3/4] Update pulsar-sql LICENSE file --- pulsar-sql/presto-distribution/LICENSE | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE index a97157ecc78f6..49a1903665c95 100644 --- a/pulsar-sql/presto-distribution/LICENSE +++ b/pulsar-sql/presto-distribution/LICENSE @@ -380,8 +380,8 @@ The Apache Software License, Version 2.0 * Apache XBean :: Reflect - xbean-reflect-3.4.jar * Avro - - avro-1.10.2.jar - - avro-protobuf-1.10.2.jar + - avro-1.11.4.jar + - avro-protobuf-1.11.4.jar * Caffeine - caffeine-2.9.1.jar * Javax From e20a8aba921e7d48ad766bdef239d84c5dd35194 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 3 Oct 2024 16:12:06 -0700 Subject: [PATCH 4/4] [fix] Bump commons-io:commons-io from 2.8.0 to 2.14.0 (#23393) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Matteo Merli (cherry picked from commit ab0dcf316e4e2ab8da35c70343fe176d951b9a12) --- distribution/server/src/assemble/LICENSE.bin.txt | 2 +- pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index 8bb4ebdaa92a8..edb84765ba74a 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -345,7 +345,7 @@ The Apache Software License, Version 2.0 - commons-codec-commons-codec-1.15.jar - commons-collections-commons-collections-3.2.2.jar - commons-configuration-commons-configuration-1.10.jar - - commons-io-commons-io-2.8.0.jar + - commons-io-commons-io-2.14.0.jar - commons-lang-commons-lang-2.6.jar - commons-logging-commons-logging-1.1.1.jar - org.apache.commons-commons-collections4-4.1.jar diff --git a/pom.xml b/pom.xml index 944936e2a97ca..b49f4274b31eb 100644 --- a/pom.xml +++ b/pom.xml @@ -183,7 +183,7 @@ flexible messaging model and an intuitive client API. 1.78 3.11 1.10 - 2.8.0 + 2.14.0 1.15 2.1 2.1.9