resolve CVE-2022-24329
This commit is contained in:
sundapeng
parent
f312c12c99
commit
5c61327a1d
73
0009-CVE-2022-24329.patch
Normal file
73
0009-CVE-2022-24329.patch
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
|
||||||
|
index 87c54acbe3..e32d3d9f43 100644
|
||||||
|
--- a/distribution/server/src/assemble/LICENSE.bin.txt
|
||||||
|
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
|
||||||
|
@@ -462,10 +462,10 @@ The Apache Software License, Version 2.0
|
||||||
|
* Okio - com.squareup.okio-okio-2.8.0.jar
|
||||||
|
* Javassist -- org.javassist-javassist-3.25.0-GA.jar
|
||||||
|
* Kotlin Standard Lib
|
||||||
|
- - org.jetbrains.kotlin-kotlin-stdlib-1.4.32.jar
|
||||||
|
- - org.jetbrains.kotlin-kotlin-stdlib-common-1.4.32.jar
|
||||||
|
- - org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.4.32.jar
|
||||||
|
- - org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.4.32.jar
|
||||||
|
+ - org.jetbrains.kotlin-kotlin-stdlib-1.6.0.jar
|
||||||
|
+ - org.jetbrains.kotlin-kotlin-stdlib-common-1.6.0.jar
|
||||||
|
+ - org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.6.0.jar
|
||||||
|
+ - org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.6.0.jar
|
||||||
|
- org.jetbrains-annotations-13.0.jar
|
||||||
|
* gRPC
|
||||||
|
- io.grpc-grpc-all-1.45.1.jar
|
||||||
|
diff --git a/pom.xml b/pom.xml
|
||||||
|
index 52c1e587ad..5bdf7946f5 100644
|
||||||
|
--- a/pom.xml
|
||||||
|
+++ b/pom.xml
|
||||||
|
@@ -203,7 +203,7 @@ flexible messaging model and an intuitive client API.</description>
|
||||||
|
<!-- use okio version that matches the okhttp3 version -->
|
||||||
|
<okio.version>2.8.0</okio.version>
|
||||||
|
<!-- override kotlin-stdlib used by okio in order to address CVE-2020-29582 -->
|
||||||
|
- <kotlin-stdlib.version>1.4.32</kotlin-stdlib.version>
|
||||||
|
+ <kotlin-stdlib.version>1.6.0</kotlin-stdlib.version>
|
||||||
|
<nsq-client.version>1.0</nsq-client.version>
|
||||||
|
<cron-utils.version>9.1.6</cron-utils.version>
|
||||||
|
<spring-context.version>5.3.19</spring-context.version>
|
||||||
|
diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
|
||||||
|
index 201a23baa0..07300d2601 100644
|
||||||
|
--- a/src/owasp-dependency-check-suppressions.xml
|
||||||
|
+++ b/src/owasp-dependency-check-suppressions.xml
|
||||||
|
@@ -60,36 +60,6 @@
|
||||||
|
<vulnerabilityName regex="true">.*</vulnerabilityName>
|
||||||
|
</suppress>
|
||||||
|
|
||||||
|
- <!-- see https://github.com/apache/pulsar/pull/14629-->
|
||||||
|
- <suppress>
|
||||||
|
- <notes><![CDATA[
|
||||||
|
- file name: kotlin-stdlib-common-1.4.32.jar
|
||||||
|
- ]]></notes>
|
||||||
|
- <sha1>ef50bfa2c0491a11dcc35d9822edbfd6170e1ea2</sha1>
|
||||||
|
- <cpe>cpe:/a:jetbrains:kotlin</cpe>
|
||||||
|
- </suppress>
|
||||||
|
- <suppress>
|
||||||
|
- <notes><![CDATA[
|
||||||
|
- file name: kotlin-stdlib-jdk7-1.4.32.jar
|
||||||
|
- ]]></notes>
|
||||||
|
- <sha1>3546900a3ebff0c43f31190baf87a9220e37b7ea</sha1>
|
||||||
|
- <cve>CVE-2022-24329</cve>
|
||||||
|
- </suppress>
|
||||||
|
- <suppress>
|
||||||
|
- <notes><![CDATA[
|
||||||
|
- file name: kotlin-stdlib-jdk8-1.4.32.jar
|
||||||
|
- ]]></notes>
|
||||||
|
- <sha1>3302f9ec8a5c1ed220781dbd37770072549bd333</sha1>
|
||||||
|
- <cve>CVE-2022-24329</cve>
|
||||||
|
- </suppress>
|
||||||
|
- <suppress>
|
||||||
|
- <notes><![CDATA[
|
||||||
|
- file name: kotlin-stdlib-1.4.32.jar
|
||||||
|
- ]]></notes>
|
||||||
|
- <sha1>461367948840adbb0839c51d91ed74ef4a9ccb52</sha1>
|
||||||
|
- <cve>CVE-2022-24329</cve>
|
||||||
|
- </suppress>
|
||||||
|
-
|
||||||
|
<!-- see https://github.com/alibaba/canal/issues/4010 -->
|
||||||
|
<suppress>
|
||||||
|
<notes><![CDATA[
|
||||||
@ -1,6 +1,6 @@
|
|||||||
%define debug_package %{nil}
|
%define debug_package %{nil}
|
||||||
%define pulsar_ver 2.10.4
|
%define pulsar_ver 2.10.4
|
||||||
%define pkg_ver 8
|
%define pkg_ver 9
|
||||||
%define _prefix /opt/pulsar
|
%define _prefix /opt/pulsar
|
||||||
Summary: Cloud-Native, Distributed Messaging and Streaming
|
Summary: Cloud-Native, Distributed Messaging and Streaming
|
||||||
Name: pulsar
|
Name: pulsar
|
||||||
@ -18,6 +18,7 @@ Patch0005: 0005-cve-2023-34455.patch
|
|||||||
Patch0006: 0006-fix-memory-leak.patch
|
Patch0006: 0006-fix-memory-leak.patch
|
||||||
Patch0007: 0007-CVE-2022-1471.patch
|
Patch0007: 0007-CVE-2022-1471.patch
|
||||||
Patch0008: 0008-CVE-2023-26048.patch
|
Patch0008: 0008-CVE-2023-26048.patch
|
||||||
|
Patch0009: 0009-CVE-2022-24329.patch
|
||||||
BuildRoot: /root/rpmbuild/BUILDROOT/
|
BuildRoot: /root/rpmbuild/BUILDROOT/
|
||||||
BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
|
BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
|
||||||
Requires: java-1.8.0-openjdk,systemd
|
Requires: java-1.8.0-openjdk,systemd
|
||||||
@ -38,6 +39,7 @@ Pulsar is a distributed pub-sub messaging platform with a very flexible messagin
|
|||||||
%patch0006 -p1
|
%patch0006 -p1
|
||||||
%patch0007 -p1
|
%patch0007 -p1
|
||||||
%patch0008 -p1
|
%patch0008 -p1
|
||||||
|
%patch0009 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
mvn clean install -Pcore-modules,-main -DskipTests
|
mvn clean install -Pcore-modules,-main -DskipTests
|
||||||
@ -63,6 +65,8 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu
|
|||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Dec 5 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-9
|
||||||
|
- resolve cve-2022-24329
|
||||||
* Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-8
|
* Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-8
|
||||||
- resolve cve-2023-26048
|
- resolve cve-2023-26048
|
||||||
* Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-7
|
* Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-7
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user