Skip to content

Fix security vulnerabilities of Pulsar #7801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 14, 2020
Merged

Fix security vulnerabilities of Pulsar #7801

merged 3 commits into from
Aug 14, 2020
+47 −54

Conversation

wolfstudy
Copy link
Member

@wolfstudy wolfstudy commented Aug 12, 2020
edited
Loading

Signed-off-by: xiaolong.ran rxl@apache.org

Motivation

Based on the scan results of Black Duck, we found that there are security vulnerabilities in the components currently used by pulsar, some are directly referenced by pulsar, and some are indirectly referenced by the pulsar.

Modifications

  • Remove <test-hdfs-offload-jetty>9.3.24.v20180605</test-hdfs-offload-jetty> because no one uses.

  • Upgrade netty version from 4.1.48.Final to 4.1.51.Final (directly referenced)

Netty Project 4.1.48.Final maven BDSA-2018-4022 MEDIUM
Netty Project 4.1.48.Final maven BDSA-2018-4022 MEDIUM
Netty Project 4.1.48.Final maven BDSA-2018-4022 MEDIUM
Netty Project 4.1.48.Final maven BDSA-2018-4022 MEDIUM
Netty Project 4.1.48.Final maven BDSA-2018-4022 MEDIUM
Netty Project 4.1.48.Final maven BDSA-2018-4022 MEDIUM
Netty Project 4.1.48.Final maven BDSA-2018-4022 MEDIUM
Netty Project 4.1.48.Final maven BDSA-2018-4022 MEDIUM
Netty Project 4.1.48.Final maven BDSA-2018-4022 MEDIUM
Netty Project 4.1.48.Final maven BDSA-2018-4022 MEDIUM
Netty Project 4.1.48.Final maven BDSA-2018-4022 MEDIUM
Netty Project 4.1.48.Final maven BDSA-2018-4022 MEDIUM
Netty Project 4.1.48.Final maven BDSA-2018-4022 MEDIUM
  • Upgrade hbase version from 1.4.9 to 2.3.0(indirectly referenced)
Apache Tomcat 5.5.23 maven CVE-2007-2449 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2007-3382 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2007-3385 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2007-3386 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2007-5342 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2007-5333 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2007-6286 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2008-2370 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2008-2938 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-0781 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-0033 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-0580 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-0783 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2008-5515 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-2693 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-2901 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-2902 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2010-2227 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-2696 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2010-4476 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-0013 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-2526 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-3190 HIGH
Apache Tomcat 5.5.23 maven CVE-2011-4858 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-1184 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-5062 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-5063 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-5064 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2012-0022 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2012-5885 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2012-5886 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2012-5887 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2012-5568 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2012-3546 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2013-1976 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2013-6357 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2013-2185 HIGH
Apache Tomcat 5.5.23 maven CVE-2013-4286 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2013-4322 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2013-4590 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2014-0075 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2014-0096 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2014-0099 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2014-0119 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2013-4444 MEDIUM
Apache Tomcat 5.5.23 maven BDSA-2009-0001 (CVE-2009-3548) HIGH
Apache Tomcat 5.5.23 maven BDSA-2016-0056 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2020-8022 HIGH
Apache Tomcat 5.5.23 maven CVE-2007-2449 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2007-3382 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2007-3385 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2007-3386 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2007-5342 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2007-5333 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2007-6286 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2008-2370 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2008-2938 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-0781 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-0033 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-0580 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-0783 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2008-5515 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-2693 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-2901 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-2902 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2010-2227 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2009-2696 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2010-4476 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-0013 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-2526 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-3190 HIGH
Apache Tomcat 5.5.23 maven CVE-2011-4858 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-1184 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-5062 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-5063 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2011-5064 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2012-0022 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2012-5885 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2012-5886 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2012-5887 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2012-5568 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2012-3546 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2013-1976 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2013-6357 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2013-2185 HIGH
Apache Tomcat 5.5.23 maven CVE-2013-4286 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2013-4322 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2013-4590 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2014-0075 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2014-0096 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2014-0099 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2014-0119 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2013-4444 MEDIUM
Apache Tomcat 5.5.23 maven BDSA-2009-0001 (CVE-2009-3548) HIGH
Apache Tomcat 5.5.23 maven BDSA-2016-0056 MEDIUM
Apache Tomcat 5.5.23 maven CVE-2020-8022 HIGH

and

Apache HttpClient 3.1 maven CVE-2015-5262 MEDIUM
Apache HttpClient 3.1 maven BDSA-2012-0025 (CVE-2012-5783) MEDIUM
Apache HttpClient 3.1 maven BDSA-2014-0112 (CVE-2012-6153) MEDIUM
  • Upgrade fastjson version from 1.2.28 to 1.2.73(directly referenced)
fastjson 1.2.28 maven BDSA-2019-3073 MEDIUM
fastjson 1.2.28 maven BDSA-2019-3073 MEDIUM
  • Upgrade canal.client version from 1.1.1 to 1.1.4
Spring Framework 3.2.18 maven BDSA-2018-0994 (CVE-2018-1270) MEDIUM
Spring Framework 3.2.18 maven BDSA-2018-1042 MEDIUM
Spring Framework 3.2.18 maven BDSA-2018-0994 (CVE-2018-1270) MEDIUM
Spring Framework 3.2.18 maven BDSA-2018-1042 MEDIUM
Spring Framework 3.2.18 maven BDSA-2018-0994 (CVE-2018-1270) MEDIUM
Spring Framework 3.2.18 maven BDSA-2018-1042 MEDIUM
Spring Framework 3.2.18 maven BDSA-2018-0994 (CVE-2018-1270) MEDIUM
Spring Framework 3.2.18 maven BDSA-2018-1042 MEDIUM
Spring Framework 3.2.18 maven BDSA-2018-0994 (CVE-2018-1270) MEDIUM
Spring Framework 3.2.18 maven BDSA-2018-1042 MEDIUM
Spring Framework 3.2.18 maven BDSA-2018-0994 (CVE-2018-1270) MEDIUM
Spring Framework 3.2.18 maven BDSA-2018-1042 MEDIUM
Spring Framework 3.2.18 maven BDSA-2018-0994 (CVE-2018-1270) MEDIUM
Spring Framework 3.2.18 maven BDSA-2018-1042 MEDIUM
  • Upgrade solr version from 7.5.0 to 8.6.0(directly referenced)
apache lucene-solr 7.5.0 maven BDSA-2018-4775 (CVE-2017-3164) MEDIUM
apache lucene-solr 7.5.0 maven BDSA-2019-2386 (CVE-2019-0193) MEDIUM
apache lucene-solr 7.5.0 maven BDSA-2019-3379 (CVE-2019-17558) MEDIUM
  • Upgrade dep.airlift version from 0.170 to 0.199 (indirectly referenced)
Apache Commons BeanUtils 1.8.3 maven BDSA-2014-0001 (CVE-2014-0114) MEDIUM
Apache Commons BeanUtils 1.8.3 maven BDSA-2014-0129 (CVE-2019-10086) MEDIUM

@wolfstudy
Fix security vulnerabilities of Pulsar
4224404 
Signed-off-by: xiaolong.ran <rxl@apache.org>
@wolfstudy wolfstudy self-assigned this Aug 12, 2020
@wolfstudy wolfstudy requested review from massakam, tuteng, sijie, jerrypeng, jiazhai and codelipenghui and removed request for massakam August 12, 2020 12:59
@wolfstudy wolfstudy added this to the 2.7.0 milestone Aug 12, 2020
@wolfstudy wolfstudy requested a review from merlimat August 12, 2020 13:00
@codelipenghui
Copy link
Contributor

/pulsarbot run-failure-checks

@wolfstudy
fix license header

Verified

This commit was signed with the committer’s verified signature.
88250 D
GPG key ID: 86211BA83DF03017
Verified
Learn about vigilant mode
9ee3a1e 
Signed-off-by: xiaolong.ran <rxl@apache.org>
@wolfstudy
fix ci error
ad7e5b2 
Signed-off-by: xiaolong.ran <rxl@apache.org>
@codelipenghui codelipenghui merged commit 855ee93 into apache:master Aug 14, 2020
huangdx0726 pushed a commit to huangdx0726/pulsar that referenced this pull request Aug 24, 2020
@wolfstudy @huangdx0726
Fix security vulnerabilities of Pulsar (apache#7801)

Verified

This commit was signed with the committer’s verified signature.
88250 D
GPG key ID: 86211BA83DF03017
Verified
Learn about vigilant mode
5d0340d 
### Motivation

Based on the scan results of `Black Duck`, we found that there are security vulnerabilities in the components currently used by pulsar, some are directly referenced by pulsar, and some are indirectly referenced by the pulsar.
lbenc135 pushed a commit to lbenc135/pulsar that referenced this pull request Sep 5, 2020
@wolfstudy
Fix security vulnerabilities of Pulsar (apache#7801)
981af38 
### Motivation

Based on the scan results of `Black Duck`, we found that there are security vulnerabilities in the components currently used by pulsar, some are directly referenced by pulsar, and some are indirectly referenced by the pulsar.
lbenc135 pushed a commit to lbenc135/pulsar that referenced this pull request Sep 5, 2020
@wolfstudy
Fix security vulnerabilities of Pulsar (apache#7801)
76d64b2 
### Motivation

Based on the scan results of `Black Duck`, we found that there are security vulnerabilities in the components currently used by pulsar, some are directly referenced by pulsar, and some are indirectly referenced by the pulsar.
lbenc135 pushed a commit to lbenc135/pulsar that referenced this pull request Sep 5, 2020
@wolfstudy
Fix security vulnerabilities of Pulsar (apache#7801)
e10cf90 
### Motivation

Based on the scan results of `Black Duck`, we found that there are security vulnerabilities in the components currently used by pulsar, some are directly referenced by pulsar, and some are indirectly referenced by the pulsar.
merlimat pushed a commit to merlimat/pulsar that referenced this pull request Dec 19, 2020
@wolfstudy
Fix security vulnerabilities of Pulsar (apache#7801)
8a913bc 
Based on the scan results of `Black Duck`, we found that there are security vulnerabilities in the components currently used by pulsar, some are directly referenced by pulsar, and some are indirectly referenced by the pulsar.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sijie sijie

@codelipenghui codelipenghui

@tuteng tuteng

@massakam massakam

@jerrypeng jerrypeng

@jiazhai jiazhai

@merlimat merlimat

Assignees

@wolfstudy wolfstudy

Labels
area/security
Projects
None yet
Milestone
2.7.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wolfstudy @codelipenghui @sijie