resolve CVE-2023-26048

2023-12-04 11:42:12 +00:00 · 2023-12-04 11:42:12 +00:00 · f312c12c99
commit f312c12c99
parent 6b14131efa
2 changed files with 111 additions and 1 deletions
--- a/0008-CVE-2023-26048.patch
+++ b/0008-CVE-2023-26048.patch
@ -0,0 +1,105 @@
+diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
+index 996cb16751..87c54acbe3 100644
+--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
+@@ -433,25 +433,25 @@ The Apache Software License, Version 2.0
+     - org.asynchttpclient-async-http-client-2.12.1.jar
+     - org.asynchttpclient-async-http-client-netty-utils-2.12.1.jar
+  * Jetty
+-    - org.eclipse.jetty-jetty-client-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-continuation-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-http-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-io-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-proxy-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-security-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-server-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-servlet-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-servlets-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-util-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-util-ajax-9.4.48.v20220622.jar
+-    - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.48.v20220622.jar
+-    - org.eclipse.jetty.websocket-websocket-api-9.4.48.v20220622.jar
+-    - org.eclipse.jetty.websocket-websocket-client-9.4.48.v20220622.jar
+-    - org.eclipse.jetty.websocket-websocket-common-9.4.48.v20220622.jar
+-    - org.eclipse.jetty.websocket-websocket-server-9.4.48.v20220622.jar
+-    - org.eclipse.jetty.websocket-websocket-servlet-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-alpn-server-9.4.48.v20220622.jar
+    - org.eclipse.jetty-jetty-client-9.4.51.v20230217.jar
+    - org.eclipse.jetty-jetty-continuation-9.4.51.v20230217.jar
+    - org.eclipse.jetty-jetty-http-9.4.51.v20230217.jar
+    - org.eclipse.jetty-jetty-io-9.4.51.v20230217.jar
+    - org.eclipse.jetty-jetty-proxy-9.4.51.v20230217.jar
+    - org.eclipse.jetty-jetty-security-9.4.51.v20230217.jar
+    - org.eclipse.jetty-jetty-server-9.4.51.v20230217.jar
+    - org.eclipse.jetty-jetty-servlet-9.4.51.v20230217.jar
+    - org.eclipse.jetty-jetty-servlets-9.4.51.v20230217.jar
+    - org.eclipse.jetty-jetty-util-9.4.51.v20230217.jar
+    - org.eclipse.jetty-jetty-util-ajax-9.4.51.v20230217.jar
+    - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.51.v20230217.jar
+    - org.eclipse.jetty.websocket-websocket-api-9.4.51.v20230217.jar
+    - org.eclipse.jetty.websocket-websocket-client-9.4.51.v20230217.jar
+    - org.eclipse.jetty.websocket-websocket-common-9.4.51.v20230217.jar
+    - org.eclipse.jetty.websocket-websocket-server-9.4.51.v20230217.jar
+    - org.eclipse.jetty.websocket-websocket-servlet-9.4.51.v20230217.jar
+    - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.51.v20230217.jar
+    - org.eclipse.jetty-jetty-alpn-server-9.4.51.v20230217.jar
+  * SnakeYaml -- org.yaml-snakeyaml-1.32.jar
+  * RocksDB - org.rocksdb-rocksdbjni-6.10.2.jar
+  * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.5.1.jar
+diff --git a/pom.xml b/pom.xml
+index 81cf8b6b7c..52c1e587ad 100644
+--- a/pom.xml
+++ b/pom.xml
+@@ -112,7 +112,7 @@ flexible messaging model and an intuitive client API.</description>
+     <curator.version>5.1.0</curator.version>
+     <netty.version>4.1.93.Final</netty.version>
+     <netty-iouring.version>0.0.21.Final</netty-iouring.version>
+-    <jetty.version>9.4.48.v20220622</jetty.version>
+    <jetty.version>9.4.51.v20230217</jetty.version>
+     <conscrypt.version>2.5.2</conscrypt.version>
+     <jersey.version>2.34</jersey.version>
+     <athenz.version>1.10.50</athenz.version>
+diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
+index 8716eec69c..636fb61db9 100644
+--- a/pulsar-sql/presto-distribution/LICENSE
+++ b/pulsar-sql/presto-distribution/LICENSE
+@@ -274,22 +274,22 @@ The Apache Software License, Version 2.0
+     - joda-time-2.10.5.jar
+     - failsafe-2.4.4.jar
+   * Jetty
+-    - http2-client-9.4.48.v20220622.jar
+-    - http2-common-9.4.48.v20220622.jar
+-    - http2-hpack-9.4.48.v20220622.jar
+-    - http2-http-client-transport-9.4.48.v20220622.jar
+-    - jetty-alpn-client-9.4.48.v20220622.jar
+-    - http2-server-9.4.48.v20220622.jar
+-    - jetty-alpn-java-client-9.4.48.v20220622.jar
+-    - jetty-client-9.4.48.v20220622.jar
+-    - jetty-http-9.4.48.v20220622.jar
+-    - jetty-io-9.4.48.v20220622.jar
+-    - jetty-jmx-9.4.48.v20220622.jar
+-    - jetty-security-9.4.48.v20220622.jar
+-    - jetty-server-9.4.48.v20220622.jar
+-    - jetty-servlet-9.4.48.v20220622.jar
+-    - jetty-util-9.4.48.v20220622.jar
+-    - jetty-util-ajax-9.4.48.v20220622.jar
+    - http2-client-9.4.51.v20230217.jar
+    - http2-common-9.4.51.v20230217.jar
+    - http2-hpack-9.4.51.v20230217.jar
+    - http2-http-client-transport-9.4.51.v20230217.jar
+    - jetty-alpn-client-9.4.51.v20230217.jar
+    - http2-server-9.4.51.v20230217.jar
+    - jetty-alpn-java-client-9.4.51.v20230217.jar
+    - jetty-client-9.4.51.v20230217.jar
+    - jetty-http-9.4.51.v20230217.jar
+    - jetty-io-9.4.51.v20230217.jar
+    - jetty-jmx-9.4.51.v20230217.jar
+    - jetty-security-9.4.51.v20230217.jar
+    - jetty-server-9.4.51.v20230217.jar
+    - jetty-servlet-9.4.51.v20230217.jar
+    - jetty-util-9.4.51.v20230217.jar
+    - jetty-util-ajax-9.4.51.v20230217.jar
+   * Apache BVal
+     - bval-jsr-2.0.0.jar
+   * Bytecode
--- a/pulsar.spec
+++ b/pulsar.spec
@ -1,6 +1,6 @@
 %define debug_package %{nil}
 %define pulsar_ver 2.10.4
-%define pkg_ver 7
+%define pkg_ver 8
 %define _prefix /opt/pulsar
 Summary: Cloud-Native, Distributed Messaging and Streaming
 Name: pulsar
@ -17,6 +17,7 @@ Patch0004: 0004-netty-to-4.1.89.patch
 Patch0005: 0005-cve-2023-34455.patch
 Patch0006: 0006-fix-memory-leak.patch
 Patch0007: 0007-CVE-2022-1471.patch
+Patch0008: 0008-CVE-2023-26048.patch
 BuildRoot: /root/rpmbuild/BUILDROOT/
 BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
 Requires: java-1.8.0-openjdk,systemd
@ -35,6 +36,8 @@ Pulsar is a distributed pub-sub messaging platform with a very flexible messagin
 %patch0004 -p1
 %patch0005 -p1
 %patch0006 -p1
+%patch0007 -p1
+%patch0008 -p1

 %build
 mvn clean install -Pcore-modules,-main -DskipTests
@ -60,6 +63,8 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu
 exit 0

 %changelog
+* Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-8
+- resolve cve-2023-26048
 * Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-7
 - resolve cve-2022-1471
 * Fri Dec 1 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-6