resolve CVE-2023-2976

2023-11-28 03:19:06 +00:00 · 2023-11-28 03:19:06 +00:00 · 8f67587d41
commit 8f67587d41
parent 698317d8c9
2 changed files with 90 additions and 3 deletions
--- a/0003-CVE-2023-2976.patch
+++ b/0003-CVE-2023-2976.patch
@ -0,0 +1,83 @@
+diff --git a/buildtools/pom.xml b/buildtools/pom.xml
+index 0197f03326..5115700da7 100644
+--- a/buildtools/pom.xml
+++ b/buildtools/pom.xml
+@@ -47,7 +47,7 @@
+     <puppycrawl.checkstyle.version>8.37</puppycrawl.checkstyle.version>
+     <maven-checkstyle-plugin.version>3.1.2</maven-checkstyle-plugin.version>
+     <guice.version>4.2.3</guice.version>
+-    <guava.version>31.0.1-jre</guava.version>
+    <guava.version>32.0.0-jre</guava.version>
+     <ant.version>1.10.12</ant.version>
+     <snakeyaml.version>1.32</snakeyaml.version>
+     <test.additional.args></test.additional.args>
+diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
+index 1ce81c7344..7d2433a2db 100644
+--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
+@@ -328,7 +328,7 @@ The Apache Software License, Version 2.0
+     - com.google.code.gson-gson-2.8.9.jar
+     - io.gsonfire-gson-fire-1.8.5.jar
+  * Guava
+-    - com.google.guava-guava-31.0.1-jre.jar
+    - com.google.guava-guava-32.0.0-jre.jar
+     - com.google.guava-failureaccess-1.0.1.jar
+     - com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
+  * J2ObjC Annotations -- com.google.j2objc-j2objc-annotations-1.3.jar
+@@ -559,7 +559,7 @@ MIT License
+     - org.slf4j-slf4j-api-1.7.32.jar
+     - org.slf4j-jcl-over-slf4j-1.7.32.jar
+  * The Checker Framework
+-    - org.checkerframework-checker-qual-3.12.0.jar
+    - org.checkerframework-checker-qual-3.33.0.jar
+ 
+ Protocol Buffers License
+  * Protocol Buffers
+diff --git a/pom.xml b/pom.xml
+index 69adebd4df..904bd5ac28 100644
+--- a/pom.xml
+++ b/pom.xml
+@@ -168,7 +168,7 @@ flexible messaging model and an intuitive client API.</description>
+     <jsonwebtoken.version>0.11.1</jsonwebtoken.version>
+     <opencensus.version>0.28.0</opencensus.version>
+     <hbase.version>2.4.9</hbase.version>
+-    <guava.version>31.0.1-jre</guava.version>
+    <guava.version>32.0.0-jre</guava.version>
+     <jcip.version>1.0</jcip.version>
+     <prometheus-jmx.version>0.14.0</prometheus-jmx.version>
+     <confluent.version>7.0.1</confluent.version>
+diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
+index 4087b9e83e..a5923972ee 100644
+--- a/pulsar-sql/presto-distribution/LICENSE
+++ b/pulsar-sql/presto-distribution/LICENSE
+@@ -221,7 +221,7 @@ The Apache Software License, Version 2.0
+     - jackson-module-jaxb-annotations-2.13.4.jar
+     - jackson-module-jsonSchema-2.13.4.jar
+  * Guava
+-    - guava-31.0.1-jre.jar
+    - guava-32.0.0-jre.jar
+     - listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
+     - failureaccess-1.0.1.jar
+  * Google Guice
+@@ -515,7 +515,7 @@ MIT License
+  * JUL to SLF4J Bridge
+    - jul-to-slf4j-1.7.32.jar
+  * Checker Qual
+-   - checker-qual-3.12.0.jar
+   - checker-qual-3.33.0.jar
+  * Annotations
+    - animal-sniffer-annotations-1.19.jar
+    - annotations-4.1.1.4.jar
+diff --git a/pulsar-sql/presto-distribution/pom.xml b/pulsar-sql/presto-distribution/pom.xml
+index cbeb5b7096..990c806e44 100644
+--- a/pulsar-sql/presto-distribution/pom.xml
+++ b/pulsar-sql/presto-distribution/pom.xml
+@@ -39,7 +39,7 @@
+     <objenesis.version>2.6</objenesis.version>
+     <objectsize.version>0.0.12</objectsize.version>
+     <maven.version>3.0.5</maven.version>
+-    <guava.version>31.0.1-jre</guava.version>
+    <guava.version>32.0.0-jre</guava.version>
+     <asynchttpclient.version>2.12.1</asynchttpclient.version>
+     <errorprone.version>2.5.1</errorprone.version>
+     <javax.servlet-api>4.0.1</javax.servlet-api>
--- a/pulsar.spec
+++ b/pulsar.spec
@ -1,6 +1,6 @@
 %define debug_package %{nil}
 %define pulsar_ver 2.10.4
-%define pkg_ver 1
+%define pkg_ver 3
 %define _prefix /opt/pulsar
 Summary: Cloud-Native, Distributed Messaging and Streaming
 Name: pulsar
@ -12,6 +12,7 @@ URL: https://pulsar.apache.org
 Source0: https://archive.apache.org/dist/pulsar/pulsar-2.10.4/apache-pulsar-2.10.4-src.tar.gz
 Patch0001: 0001-use-huawei-repository.patch
 Patch0002: 0002-resolve-cve-2023-32697.patch
+Patch0003: 0003-CVE-2023-2976.patch
 BuildRoot: /root/rpmbuild/BUILDROOT/
 BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
 Requires: java-1.8.0-openjdk,systemd
@ -26,6 +27,7 @@ Pulsar is a distributed pub-sub messaging platform with a very flexible messagin

 %patch0001 -p1
 %patch0002 -p1
+%patch0003 -p1

 %build
 mvn clean install -Pcore-modules,-main -DskipTests
@ -51,7 +53,9 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu
 exit 0

 %changelog
+* Mon Nov 27 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-3
+- resolve CVE-2023-2976
+* Thu Aug 24 2023 Jialing Wang <wangjialing@cmss.chinamobile.com> - 2.10.4-2
+- resovle Cve-2023-32697
 * Fri Aug 11 2023 Jialing Wang <wangjialing@cmss.chinamobile.com> - 2.10.4-1
 - init puslar spec
-* Fri Aug 24 2023 Jialing Wang <wangjialing@cmss.chinamobile.com> - 2.10.4-2
- resovle Cve-2023-32697