!7 resolve cve-2023-34455

From: @sundapeng001 Reviewed-by: @wang-jialing218 Signed-off-by: @wang-jialing218
2023-12-01 08:25:45 +00:00 · 2023-12-01 08:25:45 +00:00 · 158a304f32
commit 158a304f32
parent 21d13c2010 2373c957ca
2 changed files with 44 additions and 1 deletions
--- a/0005-cve-2023-34455.patch
+++ b/0005-cve-2023-34455.patch
@ -0,0 +1,39 @@
+diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
+index 1ce81c7344..ad93b3abef 100644
+--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
+@@ -526,7 +526,7 @@ The Apache Software License, Version 2.0
+     - org.apache.zookeeper-zookeeper-jute-3.6.3.jar
+     - org.apache.zookeeper-zookeeper-prometheus-metrics-3.6.3.jar
+   * Snappy Java
+-    - org.xerial.snappy-snappy-java-1.1.7.jar
+    - org.xerial.snappy-snappy-java-1.1.10.1.jar
+   * Google HTTP Client
+     - com.google.http-client-google-http-client-jackson2-1.41.0.jar
+     - com.google.http-client-google-http-client-gson-1.41.0.jar
+diff --git a/pom.xml b/pom.xml
+index 69adebd4df..6ac97ee8e6 100644
+--- a/pom.xml
+++ b/pom.xml
+@@ -107,7 +107,7 @@ flexible messaging model and an intuitive client API.</description>
+     <bookkeeper.version>4.14.7</bookkeeper.version>
+     <zookeeper.version>3.6.3</zookeeper.version>
+     <commons-cli.version>1.5.0</commons-cli.version>
+-    <snappy.version>1.1.7</snappy.version> <!-- ZooKeeper server -->
+    <snappy.version>1.1.10.1</snappy.version> <!-- ZooKeeper server -->
+     <dropwizardmetrics.version>3.2.5</dropwizardmetrics.version> <!-- ZooKeeper server -->
+     <curator.version>5.1.0</curator.version>
+     <netty.version>4.1.87.Final</netty.version>
+diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
+index 4087b9e83e..434d65f990 100644
+--- a/pulsar-sql/presto-distribution/LICENSE
+++ b/pulsar-sql/presto-distribution/LICENSE
+@@ -457,7 +457,7 @@ The Apache Software License, Version 2.0
+   * GSON
+     - gson-2.8.9.jar
+   * Snappy
+-    - snappy-java-1.1.7.jar
+    - snappy-java-1.1.10.1.jar
+   * Jackson
+     - jackson-module-parameter-names-2.13.4.jar
+   * Java Assist
--- a/pulsar.spec
+++ b/pulsar.spec
@ -1,6 +1,6 @@
 %define debug_package %{nil}
 %define pulsar_ver 2.10.4
-%define pkg_ver 4
+%define pkg_ver 5
 %define _prefix /opt/pulsar
 Summary: Cloud-Native, Distributed Messaging and Streaming
 Name: pulsar
@ -14,6 +14,7 @@ Patch0001: 0001-use-huawei-repository.patch
 Patch0002: 0002-resolve-cve-2023-32697.patch
 Patch0003: 0003-CVE-2023-2976.patch
 Patch0004: 0004-netty-to-4.1.89.patch
+Patch0005: 0005-cve-2023-34455.patch
 BuildRoot: /root/rpmbuild/BUILDROOT/
 BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
 Requires: java-1.8.0-openjdk,systemd
@ -30,6 +31,7 @@ Pulsar is a distributed pub-sub messaging platform with a very flexible messagin
 %patch0002 -p1
 %patch0003 -p1
 %patch0004 -p1
+%patch0005 -p1

 %build
 mvn clean install -Pcore-modules,-main -DskipTests
@ -55,6 +57,8 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu
 exit 0

 %changelog
+* Fri Dec 1 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-5
+- resolve CVE-2023-34455
 * Fri Dec 1 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-4
 - upgrade netty to 4.1.89
 * Mon Nov 27 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-3