packages/pulsar
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

resolve CVE-2023-26048

Browse Source
This commit is contained in:
sundapeng 2023-12-04 11:42:12 +00:00
parent 6b14131efa
commit f312c12c99
2 changed files with 111 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
0008-CVE-2023-26048.patch Normal file
View File

@ -0,0 +1,105 @@
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
index 996cb16751..87c54acbe3 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -433,25 +433,25 @@ The Apache Software License, Version 2.0
- org.asynchttpclient-async-http-client-2.12.1.jar
- org.asynchttpclient-async-http-client-netty-utils-2.12.1.jar
* Jetty
- - org.eclipse.jetty-jetty-client-9.4.48.v20220622.jar
- - org.eclipse.jetty-jetty-continuation-9.4.48.v20220622.jar
- - org.eclipse.jetty-jetty-http-9.4.48.v20220622.jar
- - org.eclipse.jetty-jetty-io-9.4.48.v20220622.jar
- - org.eclipse.jetty-jetty-proxy-9.4.48.v20220622.jar
- - org.eclipse.jetty-jetty-security-9.4.48.v20220622.jar
- - org.eclipse.jetty-jetty-server-9.4.48.v20220622.jar
- - org.eclipse.jetty-jetty-servlet-9.4.48.v20220622.jar
- - org.eclipse.jetty-jetty-servlets-9.4.48.v20220622.jar
- - org.eclipse.jetty-jetty-util-9.4.48.v20220622.jar
- - org.eclipse.jetty-jetty-util-ajax-9.4.48.v20220622.jar
- - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.48.v20220622.jar
- - org.eclipse.jetty.websocket-websocket-api-9.4.48.v20220622.jar
- - org.eclipse.jetty.websocket-websocket-client-9.4.48.v20220622.jar
- - org.eclipse.jetty.websocket-websocket-common-9.4.48.v20220622.jar
- - org.eclipse.jetty.websocket-websocket-server-9.4.48.v20220622.jar
- - org.eclipse.jetty.websocket-websocket-servlet-9.4.48.v20220622.jar
- - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.48.v20220622.jar
- - org.eclipse.jetty-jetty-alpn-server-9.4.48.v20220622.jar
+ - org.eclipse.jetty-jetty-client-9.4.51.v20230217.jar
+ - org.eclipse.jetty-jetty-continuation-9.4.51.v20230217.jar
+ - org.eclipse.jetty-jetty-http-9.4.51.v20230217.jar
+ - org.eclipse.jetty-jetty-io-9.4.51.v20230217.jar
+ - org.eclipse.jetty-jetty-proxy-9.4.51.v20230217.jar
+ - org.eclipse.jetty-jetty-security-9.4.51.v20230217.jar
+ - org.eclipse.jetty-jetty-server-9.4.51.v20230217.jar
+ - org.eclipse.jetty-jetty-servlet-9.4.51.v20230217.jar
+ - org.eclipse.jetty-jetty-servlets-9.4.51.v20230217.jar
+ - org.eclipse.jetty-jetty-util-9.4.51.v20230217.jar
+ - org.eclipse.jetty-jetty-util-ajax-9.4.51.v20230217.jar
+ - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.51.v20230217.jar
+ - org.eclipse.jetty.websocket-websocket-api-9.4.51.v20230217.jar
+ - org.eclipse.jetty.websocket-websocket-client-9.4.51.v20230217.jar
+ - org.eclipse.jetty.websocket-websocket-common-9.4.51.v20230217.jar
+ - org.eclipse.jetty.websocket-websocket-server-9.4.51.v20230217.jar
+ - org.eclipse.jetty.websocket-websocket-servlet-9.4.51.v20230217.jar
+ - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.51.v20230217.jar
+ - org.eclipse.jetty-jetty-alpn-server-9.4.51.v20230217.jar
* SnakeYaml -- org.yaml-snakeyaml-1.32.jar
* RocksDB - org.rocksdb-rocksdbjni-6.10.2.jar
* Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.5.1.jar
diff --git a/pom.xml b/pom.xml
index 81cf8b6b7c..52c1e587ad 100644
--- a/pom.xml
+++ b/pom.xml
@@ -112,7 +112,7 @@ flexible messaging model and an intuitive client API.</description>
<curator.version>5.1.0</curator.version>
<netty.version>4.1.93.Final</netty.version>
<netty-iouring.version>0.0.21.Final</netty-iouring.version>
- <jetty.version>9.4.48.v20220622</jetty.version>
+ <jetty.version>9.4.51.v20230217</jetty.version>
<conscrypt.version>2.5.2</conscrypt.version>
<jersey.version>2.34</jersey.version>
<athenz.version>1.10.50</athenz.version>
diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
index 8716eec69c..636fb61db9 100644
--- a/pulsar-sql/presto-distribution/LICENSE
+++ b/pulsar-sql/presto-distribution/LICENSE
@@ -274,22 +274,22 @@ The Apache Software License, Version 2.0
- joda-time-2.10.5.jar
- failsafe-2.4.4.jar
* Jetty
- - http2-client-9.4.48.v20220622.jar
- - http2-common-9.4.48.v20220622.jar
- - http2-hpack-9.4.48.v20220622.jar
- - http2-http-client-transport-9.4.48.v20220622.jar
- - jetty-alpn-client-9.4.48.v20220622.jar
- - http2-server-9.4.48.v20220622.jar
- - jetty-alpn-java-client-9.4.48.v20220622.jar
- - jetty-client-9.4.48.v20220622.jar
- - jetty-http-9.4.48.v20220622.jar
- - jetty-io-9.4.48.v20220622.jar
- - jetty-jmx-9.4.48.v20220622.jar
- - jetty-security-9.4.48.v20220622.jar
- - jetty-server-9.4.48.v20220622.jar
- - jetty-servlet-9.4.48.v20220622.jar
- - jetty-util-9.4.48.v20220622.jar
- - jetty-util-ajax-9.4.48.v20220622.jar
+ - http2-client-9.4.51.v20230217.jar
+ - http2-common-9.4.51.v20230217.jar
+ - http2-hpack-9.4.51.v20230217.jar
+ - http2-http-client-transport-9.4.51.v20230217.jar
+ - jetty-alpn-client-9.4.51.v20230217.jar
+ - http2-server-9.4.51.v20230217.jar
+ - jetty-alpn-java-client-9.4.51.v20230217.jar
+ - jetty-client-9.4.51.v20230217.jar
+ - jetty-http-9.4.51.v20230217.jar
+ - jetty-io-9.4.51.v20230217.jar
+ - jetty-jmx-9.4.51.v20230217.jar
+ - jetty-security-9.4.51.v20230217.jar
+ - jetty-server-9.4.51.v20230217.jar
+ - jetty-servlet-9.4.51.v20230217.jar
+ - jetty-util-9.4.51.v20230217.jar
+ - jetty-util-ajax-9.4.51.v20230217.jar
* Apache BVal
- bval-jsr-2.0.0.jar
* Bytecode

7
pulsar.spec
View File

@ -1,6 +1,6 @@
%define debug_package %{nil} %define debug_package %{nil}
%define pulsar_ver 2.10.4 %define pulsar_ver 2.10.4
%define pkg_ver 7 %define pkg_ver 8
%define _prefix /opt/pulsar %define _prefix /opt/pulsar
Summary: Cloud-Native, Distributed Messaging and Streaming Summary: Cloud-Native, Distributed Messaging and Streaming
Name: pulsar Name: pulsar
@ -17,6 +17,7 @@ Patch0004: 0004-netty-to-4.1.89.patch
Patch0005: 0005-cve-2023-34455.patch Patch0005: 0005-cve-2023-34455.patch
Patch0006: 0006-fix-memory-leak.patch Patch0006: 0006-fix-memory-leak.patch
Patch0007: 0007-CVE-2022-1471.patch Patch0007: 0007-CVE-2022-1471.patch
Patch0008: 0008-CVE-2023-26048.patch
BuildRoot: /root/rpmbuild/BUILDROOT/ BuildRoot: /root/rpmbuild/BUILDROOT/
BuildRequires: java-1.8.0-openjdk-devel,maven,systemd BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
Requires: java-1.8.0-openjdk,systemd Requires: java-1.8.0-openjdk,systemd
@ -35,6 +36,8 @@ Pulsar is a distributed pub-sub messaging platform with a very flexible messagin
%patch0004 -p1 %patch0004 -p1
%patch0005 -p1 %patch0005 -p1
%patch0006 -p1 %patch0006 -p1
%patch0007 -p1
%patch0008 -p1
%build %build
mvn clean install -Pcore-modules,-main -DskipTests mvn clean install -Pcore-modules,-main -DskipTests
@ -60,6 +63,8 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu
exit 0 exit 0
%changelog %changelog
* Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-8
- resolve cve-2023-26048
* Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-7 * Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-7
- resolve cve-2022-1471 - resolve cve-2022-1471
* Fri Dec 1 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-6 * Fri Dec 1 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-6