packages/pulsar
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

resolve CVE-2023-2976

Browse Source
This commit is contained in:
sundapeng 2023-12-07 07:22:23 +00:00
parent 6d614184d8
commit 3061d98417
2 changed files with 70 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
0012-CVE-2023-2976.patch Normal file
View File

@ -0,0 +1,65 @@
diff --git a/buildtools/pom.xml b/buildtools/pom.xml
index 9dbbba70f9..1c78a05f94 100644
--- a/buildtools/pom.xml
+++ b/buildtools/pom.xml
@@ -47,7 +47,7 @@
<puppycrawl.checkstyle.version>8.37</puppycrawl.checkstyle.version>
<maven-checkstyle-plugin.version>3.1.2</maven-checkstyle-plugin.version>
<guice.version>4.2.3</guice.version>
- <guava.version>32.0.0-jre</guava.version>
+ <guava.version>32.1.1-jre</guava.version>
<ant.version>1.10.12</ant.version>
<snakeyaml.version>1.32</snakeyaml.version>
<test.additional.args></test.additional.args>
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
index e32d3d9f43..0c11baa362 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -328,7 +328,7 @@ The Apache Software License, Version 2.0
- com.google.code.gson-gson-2.8.9.jar
- io.gsonfire-gson-fire-1.8.5.jar
* Guava
- - com.google.guava-guava-32.0.0-jre.jar
+ - com.google.guava-guava-32.1.1-jre.jar
- com.google.guava-failureaccess-1.0.1.jar
- com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
* J2ObjC Annotations -- com.google.j2objc-j2objc-annotations-1.3.jar
diff --git a/pom.xml b/pom.xml
index 0cbb930786..272da71732 100644
--- a/pom.xml
+++ b/pom.xml
@@ -168,7 +168,7 @@ flexible messaging model and an intuitive client API.</description>
<jsonwebtoken.version>0.11.1</jsonwebtoken.version>
<opencensus.version>0.28.0</opencensus.version>
<hbase.version>2.4.9</hbase.version>
- <guava.version>32.0.0-jre</guava.version>
+ <guava.version>32.1.1-jre</guava.version>
<jcip.version>1.0</jcip.version>
<prometheus-jmx.version>0.14.0</prometheus-jmx.version>
<confluent.version>7.0.1</confluent.version>
diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
index 636fb61db9..47e4fbcfa5 100644
--- a/pulsar-sql/presto-distribution/LICENSE
+++ b/pulsar-sql/presto-distribution/LICENSE
@@ -221,7 +221,7 @@ The Apache Software License, Version 2.0
- jackson-module-jaxb-annotations-2.13.4.jar
- jackson-module-jsonSchema-2.13.4.jar
* Guava
- - guava-32.0.0-jre.jar
+ - guava-32.1.1-jre.jar
- listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
- failureaccess-1.0.1.jar
* Google Guice
diff --git a/pulsar-sql/presto-distribution/pom.xml b/pulsar-sql/presto-distribution/pom.xml
index 990c806e44..bde34a1616 100644
--- a/pulsar-sql/presto-distribution/pom.xml
+++ b/pulsar-sql/presto-distribution/pom.xml
@@ -39,7 +39,7 @@
<objenesis.version>2.6</objenesis.version>
<objectsize.version>0.0.12</objectsize.version>
<maven.version>3.0.5</maven.version>
- <guava.version>32.0.0-jre</guava.version>
+ <guava.version>32.1.1-jre</guava.version>
<asynchttpclient.version>2.12.1</asynchttpclient.version>
<errorprone.version>2.5.1</errorprone.version>
<javax.servlet-api>4.0.1</javax.servlet-api>

6
pulsar.spec
View File

@ -1,6 +1,6 @@
%define debug_package %{nil} %define debug_package %{nil}
%define pulsar_ver 2.10.4 %define pulsar_ver 2.10.4
%define pkg_ver 11 %define pkg_ver 12
%define _prefix /opt/pulsar %define _prefix /opt/pulsar
Summary: Cloud-Native, Distributed Messaging and Streaming Summary: Cloud-Native, Distributed Messaging and Streaming
Name: pulsar Name: pulsar
@ -21,6 +21,7 @@ Patch0008: 0008-CVE-2023-26048.patch
Patch0009: 0009-CVE-2022-24329.patch Patch0009: 0009-CVE-2022-24329.patch
Patch0010: 0010-CVE-2022-22970.patch Patch0010: 0010-CVE-2022-22970.patch
Patch0011: 0011-CVE-2023-25194.patch Patch0011: 0011-CVE-2023-25194.patch
Patch0012: 0012-CVE-2023-2976.patch
BuildRoot: /root/rpmbuild/BUILDROOT/ BuildRoot: /root/rpmbuild/BUILDROOT/
BuildRequires: java-1.8.0-openjdk-devel,maven,systemd BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
Requires: java-1.8.0-openjdk,systemd Requires: java-1.8.0-openjdk,systemd
@ -44,6 +45,7 @@ Pulsar is a distributed pub-sub messaging platform with a very flexible messagin
%patch0009 -p1 %patch0009 -p1
%patch0010 -p1 %patch0010 -p1
%patch0011 -p1 %patch0011 -p1
%patch0012 -p1
%build %build
mvn clean install -Pcore-modules,-main -DskipTests mvn clean install -Pcore-modules,-main -DskipTests
@ -69,6 +71,8 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu
exit 0 exit 0
%changelog %changelog
* Thu Dec 7 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-12
- resolve cve-2023-2976
* Wed Dec 6 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-11 * Wed Dec 6 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-11
- resolve cve-2023-25194 - resolve cve-2023-25194
* Wed Dec 6 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-10 * Wed Dec 6 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-10