resolve CVE-2023-32732

2023-12-07 07:32:08 +00:00 · 2023-12-07 07:32:08 +00:00 · bdc879bf71
commit bdc879bf71
parent 644e291356
2 changed files with 131 additions and 1 deletions
--- a/0014-CVE-2023-32732.patch
+++ b/0014-CVE-2023-32732.patch
@ -0,0 +1,126 @@
+diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
+index 0c11baa362..82b3f0af59 100644
+--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
+@@ -322,7 +322,7 @@ The Apache Software License, Version 2.0
+      - com.fasterxml.jackson.module-jackson-module-jsonSchema-2.13.4.jar
+  * Caffeine -- com.github.ben-manes.caffeine-caffeine-2.9.1.jar
+  * Conscrypt -- org.conscrypt-conscrypt-openjdk-uber-2.5.2.jar
+- * Proto Google Common Protos -- com.google.api.grpc-proto-google-common-protos-2.0.1.jar
+ * Proto Google Common Protos -- com.google.api.grpc-proto-google-common-protos-2.9.0.jar
+  * Bitbucket -- org.bitbucket.b_c-jose4j-0.7.6.jar
+  * Gson
+     - com.google.code.gson-gson-2.8.9.jar
+@@ -468,24 +468,26 @@ The Apache Software License, Version 2.0
+      - org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.6.0.jar
+      - org.jetbrains-annotations-13.0.jar
+  * gRPC
+-    - io.grpc-grpc-all-1.45.1.jar
+-    - io.grpc-grpc-auth-1.45.1.jar
+-    - io.grpc-grpc-context-1.45.1.jar
+-    - io.grpc-grpc-core-1.45.1.jar
+-    - io.grpc-grpc-netty-1.45.1.jar
+-    - io.grpc-grpc-protobuf-1.45.1.jar
+-    - io.grpc-grpc-protobuf-lite-1.45.1.jar
+-    - io.grpc-grpc-stub-1.45.1.jar
+-    - io.grpc-grpc-alts-1.45.1.jar
+-    - io.grpc-grpc-api-1.45.1.jar
+-    - io.grpc-grpc-grpclb-1.45.1.jar
+-    - io.grpc-grpc-netty-shaded-1.45.1.jar
+-    - io.grpc-grpc-services-1.45.1.jar
+-    - io.grpc-grpc-xds-1.45.1.jar
+-    - io.grpc-grpc-rls-1.45.1.jar
+    - io.grpc-grpc-all-1.55.3.jar
+    - io.grpc-grpc-auth-1.55.3.jar
+    - io.grpc-grpc-context-1.55.3.jar
+    - io.grpc-grpc-core-1.55.3.jar
+    - io.grpc-grpc-netty-1.55.3.jar
+    - io.grpc-grpc-protobuf-1.55.3.jar
+    - io.grpc-grpc-protobuf-lite-1.55.3.jar
+    - io.grpc-grpc-stub-1.55.3.jar
+    - io.grpc-grpc-alts-1.55.3.jar
+    - io.grpc-grpc-api-1.55.3.jar
+    - io.grpc-grpc-grpclb-1.55.3.jar
+    - io.grpc-grpc-netty-shaded-1.55.3.jar
+    - io.grpc-grpc-services-1.55.3.jar
+    - io.grpc-grpc-xds-1.55.3.jar
+    - io.grpc-grpc-rls-1.55.3.jar
+    - io.grpc-grpc-servlet-1.55.3.jar
+    - io.grpc-grpc-servlet-jakarta-1.55.3.jar
+     - com.google.auto.service-auto-service-annotations-1.0.jar
+   * Perfmark
+-    - io.perfmark-perfmark-api-0.19.0.jar
+    - io.perfmark-perfmark-api-0.26.0.jar
+   * OpenCensus
+     - io.opencensus-opencensus-api-0.28.0.jar
+     - io.opencensus-opencensus-contrib-http-util-0.28.0.jar
+@@ -535,7 +537,7 @@ The Apache Software License, Version 2.0
+     - com.google.http-client-google-http-client-gson-1.41.0.jar
+     - com.google.http-client-google-http-client-1.41.0.jar
+     - com.google.auto.value-auto-value-annotations-1.9.jar
+-    - com.google.re2j-re2j-1.5.jar
+    - com.google.re2j-re2j-1.6.jar
+   * Jetcd
+     - io.etcd-jetcd-common-0.5.11.jar
+     - io.etcd-jetcd-core-0.5.11.jar
+diff --git a/pom.xml b/pom.xml
+index 272da71732..3ee138c11a 100644
+--- a/pom.xml
+++ b/pom.xml
+@@ -132,9 +132,9 @@ flexible messaging model and an intuitive client API.</description>
+     <typetools.version>0.5.0</typetools.version>
+     <protobuf3.version>3.19.6</protobuf3.version>
+     <protoc3.version>${protobuf3.version}</protoc3.version>
+-    <grpc.version>1.45.1</grpc.version>
+    <grpc.version>1.55.3</grpc.version>
+     <google-http-client.version>1.41.0</google-http-client.version>
+-    <perfmark.version>0.19.0</perfmark.version>
+    <perfmark.version>0.26.0</perfmark.version>
+     <protoc-gen-grpc-java.version>${grpc.version}</protoc-gen-grpc-java.version>
+     <gson.version>2.8.9</gson.version>
+     <system-lambda.version>1.2.1</system-lambda.version>
+diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
+index 47e4fbcfa5..3a3da7a4ca 100644
+--- a/pulsar-sql/presto-distribution/LICENSE
+++ b/pulsar-sql/presto-distribution/LICENSE
+@@ -258,14 +258,14 @@ The Apache Software License, Version 2.0
+     - netty-transport-native-unix-common-4.1.93.Final-linux-x86_64.jar
+     - netty-codec-http2-4.1.87.Final.jar 
+  * GRPC
+-    - grpc-api-1.45.1.jar
+-    - grpc-context-1.45.1.jar
+-    - grpc-core-1.45.1.jar
+-    - grpc-grpclb-1.45.1.jar
+-    - grpc-netty-1.45.1.jar
+-    - grpc-protobuf-1.45.1.jar
+-    - grpc-protobuf-lite-1.45.1.jar
+-    - grpc-stub-1.45.1.jar
+    - grpc-api-1.55.3.jar
+    - grpc-context-1.55.3.jar
+    - grpc-core-1.55.3.jar
+    - grpc-grpclb-1.55.3.jar
+    - grpc-netty-1.55.3.jar
+    - grpc-protobuf-1.55.3.jar
+    - grpc-protobuf-lite-1.55.3.jar
+    - grpc-stub-1.55.3.jar
+   * JEtcd
+     - jetcd-common-0.5.11.jar
+     - jetcd-core-0.5.11.jar
+@@ -477,7 +477,7 @@ The Apache Software License, Version 2.0
+   * Swagger
+     - swagger-annotations-1.6.10.jar
+   * Perfmark
+-    - perfmark-api-0.19.0.jar
+    - perfmark-api-0.26.0.jar
+   * Annotations
+     - auto-service-annotations-1.0.jar
+ 
+@@ -485,7 +485,7 @@ Protocol Buffers License
+  * Protocol Buffers
+    - protobuf-java-3.19.6.jar
+    - protobuf-java-util-3.19.6.jar
+-   - proto-google-common-protos-2.0.1.jar
+   - proto-google-common-protos-2.9.0.jar
+ 
+ BSD 3-clause "New" or "Revised" License
+   *  RE2J TD -- re2j-td-1.4.jar
--- a/pulsar.spec
+++ b/pulsar.spec
@ -1,6 +1,6 @@
 %define debug_package %{nil}
 %define pulsar_ver 2.10.4
-%define pkg_ver 13
+%define pkg_ver 14
 %define _prefix /opt/pulsar
 Summary: Cloud-Native, Distributed Messaging and Streaming
 Name: pulsar
@ -23,6 +23,7 @@ Patch0010: 0010-CVE-2022-22970.patch
 Patch0011: 0011-CVE-2023-25194.patch
 Patch0012: 0012-CVE-2023-2976.patch
 Patch0013: 0013-fix-deadlock.patch
+Patch0014: 0014-CVE-2023-32732.patch
 BuildRoot: /root/rpmbuild/BUILDROOT/
 BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
 Requires: java-1.8.0-openjdk,systemd
@ -48,6 +49,7 @@ Pulsar is a distributed pub-sub messaging platform with a very flexible messagin
 %patch0011 -p1
 %patch0012 -p1
 %patch0013 -p1
+%patch0014 -p1

 %build
 mvn clean install -Pcore-modules,-main -DskipTests
@ -73,6 +75,8 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu
 exit 0

 %changelog
+* Thu Dec 7 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-14
+- resolve cve-2023-32732
 * Thu Dec 7 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-13
 - resolve fix deadlock
 * Thu Dec 7 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-12