resolve CVE-2022-22970

2023-12-06 01:37:36 +00:00 · 2023-12-06 01:37:36 +00:00 · fe8fedc181
commit fe8fedc181
parent 5c61327a1d
2 changed files with 63 additions and 1 deletions
--- a/0010-CVE-2022-22970.patch
+++ b/0010-CVE-2022-22970.patch
@ -0,0 +1,58 @@
 diff --git a/pom.xml b/pom.xml
 index 5bdf7946f5..c6d4dcc9c7 100644
 --- a/pom.xml
 +++ b/pom.xml
@@ -206,7 +206,7 @@ flexible messaging model and an intuitive client API.</description>
     <kotlin-stdlib.version>1.6.0</kotlin-stdlib.version>
     <nsq-client.version>1.0</nsq-client.version>
     <cron-utils.version>9.1.6</cron-utils.version>
 -    <spring-context.version>5.3.19</spring-context.version>
 +    <spring.version>5.3.20</spring.version>
     <apache-http-client.version>4.5.13</apache-http-client.version>
     <jetcd.version>0.5.11</jetcd.version>
     <snakeyaml.version>1.32</snakeyaml.version>
 diff --git a/pulsar-io/batch-data-generator/pom.xml b/pulsar-io/batch-data-generator/pom.xml
 index 8808917e5e..7611a27fe3 100644
 --- a/pulsar-io/batch-data-generator/pom.xml
 +++ b/pulsar-io/batch-data-generator/pom.xml
@@ -47,7 +47,7 @@
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-context</artifactId>
 -            <version>${spring-context.version}</version>
 +            <version>${spring.version}</version>
         </dependency>
         <dependency>
 diff --git a/pulsar-io/batch-discovery-triggerers/pom.xml b/pulsar-io/batch-discovery-triggerers/pom.xml
 index 66f7d4e17e..b8435ac1ac 100644
 --- a/pulsar-io/batch-discovery-triggerers/pom.xml
 +++ b/pulsar-io/batch-discovery-triggerers/pom.xml
@@ -47,7 +47,7 @@
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-context</artifactId>
 -      <version>${spring-context.version}</version>
 +      <version>${spring.version}</version>
     </dependency>
   </dependencies>
 diff --git a/pulsar-io/canal/pom.xml b/pulsar-io/canal/pom.xml
 index eef6d346e6..3519ab0f1c 100644
 --- a/pulsar-io/canal/pom.xml
 +++ b/pulsar-io/canal/pom.xml
@@ -33,7 +33,6 @@
     <name>Pulsar IO :: Canal</name>
     <properties>
 -        <spring.version>5.3.19</spring.version>
         <canal.version>1.1.5</canal.version>
     </properties>
@@ -121,4 +120,4 @@
     </build>
 -</project>
 \ No newline at end of file
 +</project>
--- a/pulsar.spec
+++ b/pulsar.spec
@ -1,6 +1,6 @@
 %define debug_package %{nil}
 %define pulsar_ver 2.10.4
-%define pkg_ver 9
+%define pkg_ver 10
 %define _prefix /opt/pulsar
 Summary: Cloud-Native, Distributed Messaging and Streaming
 Name: pulsar
@ -19,6 +19,7 @@ Patch0006: 0006-fix-memory-leak.patch
 Patch0007: 0007-CVE-2022-1471.patch
 Patch0008: 0008-CVE-2023-26048.patch
 Patch0009: 0009-CVE-2022-24329.patch
 Patch0010: 0010-CVE-2022-22970.patch
 BuildRoot: /root/rpmbuild/BUILDROOT/
 BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
 Requires: java-1.8.0-openjdk,systemd
@ -40,6 +41,7 @@ Pulsar is a distributed pub-sub messaging platform with a very flexible messagin
 %patch0007 -p1
 %patch0008 -p1
 %patch0009 -p1
 %patch0010 -p1
 %build
 mvn clean install -Pcore-modules,-main -DskipTests
@ -65,6 +67,8 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu
 exit 0
 %changelog
 * Wed Dec 6 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-10
 - resolve cve-2022-22970
 * Mon Dec 5 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-9
 - resolve cve-2022-24329
 * Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-8