resolve CVE-2022-1471

0007-CVE-2022-1471.patch

@@ -0,0 +1,43 @@
+diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
+index a413803445..996cb16751 100644
+--- a/distribution/server/src/assemble/LICENSE.bin.txt
++++ b/distribution/server/src/assemble/LICENSE.bin.txt
+@@ -334,9 +334,9 @@ The Apache Software License, Version 2.0
+  * J2ObjC Annotations -- com.google.j2objc-j2objc-annotations-1.3.jar
+  * Netty Reactive Streams -- com.typesafe.netty-netty-reactive-streams-2.0.6.jar
+  * Swagger
+-    - io.swagger-swagger-annotations-1.6.2.jar
+-    - io.swagger-swagger-core-1.6.2.jar
+-    - io.swagger-swagger-models-1.6.2.jar
++    - io.swagger-swagger-annotations-1.6.10.jar
++    - io.swagger-swagger-core-1.6.10.jar
++    - io.swagger-swagger-models-1.6.10.jar
+  * DataSketches
+     - com.yahoo.datasketches-memory-0.8.3.jar
+     - com.yahoo.datasketches-sketches-core-0.8.3.jar
+diff --git a/pom.xml b/pom.xml
+index 0e841b4ab5..81cf8b6b7c 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -126,7 +126,7 @@ flexible messaging model and an intuitive client API.</description>
+     <bouncycastlefips.version>1.0.2</bouncycastlefips.version>
+     <jackson.version>2.13.4.20221013</jackson.version>
+     <reflections.version>0.9.11</reflections.version>
+-    <swagger.version>1.6.2</swagger.version>
++    <swagger.version>1.6.10</swagger.version>
+     <puppycrawl.checkstyle.version>8.37</puppycrawl.checkstyle.version>
+     <dockerfile-maven.version>1.4.13</dockerfile-maven.version>
+     <typetools.version>0.5.0</typetools.version>
+diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
+index dae80a80ec..8716eec69c 100644
+--- a/pulsar-sql/presto-distribution/LICENSE
++++ b/pulsar-sql/presto-distribution/LICENSE
+@@ -475,7 +475,7 @@ The Apache Software License, Version 2.0
+   * Apache Yetus Audience Annotations
+     - audience-annotations-0.5.0.jar
+   * Swagger
+-    - swagger-annotations-1.6.2.jar
++    - swagger-annotations-1.6.10.jar
+   * Perfmark
+     - perfmark-api-0.19.0.jar
+   * Annotations

pulsar.spec

@@ -1,6 +1,6 @@
 %define debug_package %{nil}
 %define pulsar_ver 2.10.4
-%define pkg_ver 6
+%define pkg_ver 7
 %define _prefix /opt/pulsar
 Summary: Cloud-Native, Distributed Messaging and Streaming
 Name: pulsar
@@ -16,6 +16,7 @@ Patch0003: 0003-CVE-2023-2976.patch
 Patch0004: 0004-netty-to-4.1.89.patch
 Patch0005: 0005-cve-2023-34455.patch
 Patch0006: 0006-fix-memory-leak.patch
+Patch0007: 0007-CVE-2022-1471.patch
 BuildRoot: /root/rpmbuild/BUILDROOT/
 BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
 Requires: java-1.8.0-openjdk,systemd
@@ -59,6 +60,8 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu
 exit 0
 
 %changelog
+* Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-7
+- resolve cve-2022-1471
 * Fri Dec 1 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-6
 - fix memory leak
 * Fri Dec 1 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-5