resolve CVE-2022-22970

2023-12-06 01:37:36 +00:00 · 2023-12-06 01:37:36 +00:00 · fe8fedc181
commit fe8fedc181
parent 5c61327a1d
2 changed files with 63 additions and 1 deletions
--- a/0010-CVE-2022-22970.patch
+++ b/0010-CVE-2022-22970.patch
@ -0,0 +1,58 @@
+diff --git a/pom.xml b/pom.xml
+index 5bdf7946f5..c6d4dcc9c7 100644
+--- a/pom.xml
+++ b/pom.xml
+@@ -206,7 +206,7 @@ flexible messaging model and an intuitive client API.</description>
+     <kotlin-stdlib.version>1.6.0</kotlin-stdlib.version>
+     <nsq-client.version>1.0</nsq-client.version>
+     <cron-utils.version>9.1.6</cron-utils.version>
+-    <spring-context.version>5.3.19</spring-context.version>
+    <spring.version>5.3.20</spring.version>
+     <apache-http-client.version>4.5.13</apache-http-client.version>
+     <jetcd.version>0.5.11</jetcd.version>
+     <snakeyaml.version>1.32</snakeyaml.version>
+diff --git a/pulsar-io/batch-data-generator/pom.xml b/pulsar-io/batch-data-generator/pom.xml
+index 8808917e5e..7611a27fe3 100644
+--- a/pulsar-io/batch-data-generator/pom.xml
+++ b/pulsar-io/batch-data-generator/pom.xml
+@@ -47,7 +47,7 @@
+         <dependency>
+             <groupId>org.springframework</groupId>
+             <artifactId>spring-context</artifactId>
+-            <version>${spring-context.version}</version>
+            <version>${spring.version}</version>
+         </dependency>
+ 
+         <dependency>
+diff --git a/pulsar-io/batch-discovery-triggerers/pom.xml b/pulsar-io/batch-discovery-triggerers/pom.xml
+index 66f7d4e17e..b8435ac1ac 100644
+--- a/pulsar-io/batch-discovery-triggerers/pom.xml
+++ b/pulsar-io/batch-discovery-triggerers/pom.xml
+@@ -47,7 +47,7 @@
+     <dependency>
+       <groupId>org.springframework</groupId>
+       <artifactId>spring-context</artifactId>
+-      <version>${spring-context.version}</version>
+      <version>${spring.version}</version>
+     </dependency>
+ 
+   </dependencies>
+diff --git a/pulsar-io/canal/pom.xml b/pulsar-io/canal/pom.xml
+index eef6d346e6..3519ab0f1c 100644
+--- a/pulsar-io/canal/pom.xml
+++ b/pulsar-io/canal/pom.xml
+@@ -33,7 +33,6 @@
+     <name>Pulsar IO :: Canal</name>
+ 
+     <properties>
+-        <spring.version>5.3.19</spring.version>
+         <canal.version>1.1.5</canal.version>
+     </properties>
+ 
+@@ -121,4 +120,4 @@
+     </build>
+ 
+ 
+-</project>
+\ No newline at end of file
+</project>
--- a/pulsar.spec
+++ b/pulsar.spec
@ -1,6 +1,6 @@
 %define debug_package %{nil}
 %define pulsar_ver 2.10.4
-%define pkg_ver 9
+%define pkg_ver 10
 %define _prefix /opt/pulsar
 Summary: Cloud-Native, Distributed Messaging and Streaming
 Name: pulsar
@ -19,6 +19,7 @@ Patch0006: 0006-fix-memory-leak.patch
 Patch0007: 0007-CVE-2022-1471.patch
 Patch0008: 0008-CVE-2023-26048.patch
 Patch0009: 0009-CVE-2022-24329.patch
+Patch0010: 0010-CVE-2022-22970.patch
 BuildRoot: /root/rpmbuild/BUILDROOT/
 BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
 Requires: java-1.8.0-openjdk,systemd
@ -40,6 +41,7 @@ Pulsar is a distributed pub-sub messaging platform with a very flexible messagin
 %patch0007 -p1
 %patch0008 -p1
 %patch0009 -p1
+%patch0010 -p1

 %build
 mvn clean install -Pcore-modules,-main -DskipTests
@ -65,6 +67,8 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu
 exit 0

 %changelog
+* Wed Dec 6 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-10
+- resolve cve-2022-22970
 * Mon Dec 5 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-9
 - resolve cve-2022-24329
 * Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-8