You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@uniffle.apache.org by ro...@apache.org on 2023/01/11 02:07:21 UTC
[incubator-uniffle] branch master updated: [Deps] Bump slf4j to fix vulnerability in slf4j-log4j12 (#464)
This is an automated email from the ASF dual-hosted git repository.
roryqi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-uniffle.git
The following commit(s) were added to refs/heads/master by this push:
new 066acdce [Deps] Bump slf4j to fix vulnerability in slf4j-log4j12 (#464)
066acdce is described below
commit 066acdce5f70d52f04bbbf289a0e572aa1f48a6d
Author: Kaijie Chen <ck...@apache.org>
AuthorDate: Wed Jan 11 10:07:15 2023 +0800
[Deps] Bump slf4j to fix vulnerability in slf4j-log4j12 (#464)
### What changes were proposed in this pull request?
Bump slf4j to 1.7.36 to fix vulnerability in slf4j-log4j12.
Btw, slf4j:1.7.36 depends on reload4j:1.2.19 instead of log4j.
### Why are the changes needed?
slf4j-log4j12:1.7.25 provides transitive vulnerable dependency log4j:1.2.17
* CVE-2019-17571 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation
* CVE-2021-4104 7.5 Deserialization of Untrusted Data vulnerability with medium severity found
* CVE-2022-23302 8.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation
* CVE-2022-23305 9.8 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability pending CVSS allocation
* CVE-2022-23307 8.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
No need.
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index d1adaa67..2ff3f877 100644
--- a/pom.xml
+++ b/pom.xml
@@ -71,7 +71,7 @@
<roaring.bitmap.version>0.9.15</roaring.bitmap.version>
<rss.shade.packageName>org.apache.uniffle</rss.shade.packageName>
<skipDeploy>false</skipDeploy>
- <slf4j.version>1.7.25</slf4j.version>
+ <slf4j.version>1.7.36</slf4j.version>
<spotbugs.version>4.7.0</spotbugs.version>
<spotbugs-maven-plugin.version>4.7.0.0</spotbugs-maven-plugin.version>
<system-rules.version>1.19.0</system-rules.version>