packages/pulsar
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

resolve CVE-2022-24329

Browse Source
This commit is contained in:
sundapeng 2023-12-05 07:41:40 +00:00
parent f312c12c99
commit 5c61327a1d
2 changed files with 78 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
0009-CVE-2022-24329.patch Normal file
View File

@ -0,0 +1,73 @@
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
index 87c54acbe3..e32d3d9f43 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -462,10 +462,10 @@ The Apache Software License, Version 2.0
* Okio - com.squareup.okio-okio-2.8.0.jar
* Javassist -- org.javassist-javassist-3.25.0-GA.jar
* Kotlin Standard Lib
- - org.jetbrains.kotlin-kotlin-stdlib-1.4.32.jar
- - org.jetbrains.kotlin-kotlin-stdlib-common-1.4.32.jar
- - org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.4.32.jar
- - org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.4.32.jar
+ - org.jetbrains.kotlin-kotlin-stdlib-1.6.0.jar
+ - org.jetbrains.kotlin-kotlin-stdlib-common-1.6.0.jar
+ - org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.6.0.jar
+ - org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.6.0.jar
- org.jetbrains-annotations-13.0.jar
* gRPC
- io.grpc-grpc-all-1.45.1.jar
diff --git a/pom.xml b/pom.xml
index 52c1e587ad..5bdf7946f5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -203,7 +203,7 @@ flexible messaging model and an intuitive client API.</description>
<!-- use okio version that matches the okhttp3 version -->
<okio.version>2.8.0</okio.version>
<!-- override kotlin-stdlib used by okio in order to address CVE-2020-29582 -->
- <kotlin-stdlib.version>1.4.32</kotlin-stdlib.version>
+ <kotlin-stdlib.version>1.6.0</kotlin-stdlib.version>
<nsq-client.version>1.0</nsq-client.version>
<cron-utils.version>9.1.6</cron-utils.version>
<spring-context.version>5.3.19</spring-context.version>
diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
index 201a23baa0..07300d2601 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -60,36 +60,6 @@
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
- <!-- see https://github.com/apache/pulsar/pull/14629-->
- <suppress>
- <notes><![CDATA[
- file name: kotlin-stdlib-common-1.4.32.jar
- ]]></notes>
- <sha1>ef50bfa2c0491a11dcc35d9822edbfd6170e1ea2</sha1>
- <cpe>cpe:/a:jetbrains:kotlin</cpe>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: kotlin-stdlib-jdk7-1.4.32.jar
- ]]></notes>
- <sha1>3546900a3ebff0c43f31190baf87a9220e37b7ea</sha1>
- <cve>CVE-2022-24329</cve>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: kotlin-stdlib-jdk8-1.4.32.jar
- ]]></notes>
- <sha1>3302f9ec8a5c1ed220781dbd37770072549bd333</sha1>
- <cve>CVE-2022-24329</cve>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: kotlin-stdlib-1.4.32.jar
- ]]></notes>
- <sha1>461367948840adbb0839c51d91ed74ef4a9ccb52</sha1>
- <cve>CVE-2022-24329</cve>
- </suppress>
-
<!-- see https://github.com/alibaba/canal/issues/4010 -->
<suppress>
<notes><![CDATA[

6
pulsar.spec
View File

@ -1,6 +1,6 @@
%define debug_package %{nil}
%define pulsar_ver 2.10.4
%define pkg_ver 8
%define pkg_ver 9
%define _prefix /opt/pulsar
Summary: Cloud-Native, Distributed Messaging and Streaming
Name: pulsar
@ -18,6 +18,7 @@ Patch0005: 0005-cve-2023-34455.patch
Patch0006: 0006-fix-memory-leak.patch
Patch0007: 0007-CVE-2022-1471.patch
Patch0008: 0008-CVE-2023-26048.patch
Patch0009: 0009-CVE-2022-24329.patch
BuildRoot: /root/rpmbuild/BUILDROOT/
BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
Requires: java-1.8.0-openjdk,systemd
@ -38,6 +39,7 @@ Pulsar is a distributed pub-sub messaging platform with a very flexible messagin
%patch0006 -p1
%patch0007 -p1
%patch0008 -p1
%patch0009 -p1
%build
mvn clean install -Pcore-modules,-main -DskipTests
@ -63,6 +65,8 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu
exit 0
%changelog
* Mon Dec 5 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-9
- resolve cve-2022-24329
* Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-8
- resolve cve-2023-26048
* Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-7