You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@uniffle.apache.org by ro...@apache.org on 2023/01/11 02:07:21 UTC

[incubator-uniffle] branch master updated: [Deps] Bump slf4j to fix vulnerability in slf4j-log4j12 (#464)

This is an automated email from the ASF dual-hosted git repository.

roryqi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-uniffle.git


The following commit(s) were added to refs/heads/master by this push:
     new 066acdce [Deps] Bump slf4j to fix vulnerability in slf4j-log4j12 (#464)
066acdce is described below

commit 066acdce5f70d52f04bbbf289a0e572aa1f48a6d
Author: Kaijie Chen <ck...@apache.org>
AuthorDate: Wed Jan 11 10:07:15 2023 +0800

    [Deps] Bump slf4j to fix vulnerability in slf4j-log4j12 (#464)
    
    ### What changes were proposed in this pull request?
    
    Bump slf4j to 1.7.36 to fix vulnerability in slf4j-log4j12.
    
    Btw, slf4j:1.7.36 depends on reload4j:1.2.19 instead of log4j.
    
    ### Why are the changes needed?
    
    slf4j-log4j12:1.7.25 provides transitive vulnerable dependency log4j:1.2.17
    
    * CVE-2019-17571 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation
    * CVE-2021-4104 7.5 Deserialization of Untrusted Data vulnerability with medium severity found
    * CVE-2022-23302 8.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation
    * CVE-2022-23305 9.8 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability pending CVSS allocation
    * CVE-2022-23307 8.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation
    
    ### Does this PR introduce _any_ user-facing change?
    
    No.
    
    ### How was this patch tested?
    
    No need.
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index d1adaa67..2ff3f877 100644
--- a/pom.xml
+++ b/pom.xml
@@ -71,7 +71,7 @@
     <roaring.bitmap.version>0.9.15</roaring.bitmap.version>
     <rss.shade.packageName>org.apache.uniffle</rss.shade.packageName>
     <skipDeploy>false</skipDeploy>
-    <slf4j.version>1.7.25</slf4j.version>
+    <slf4j.version>1.7.36</slf4j.version>
     <spotbugs.version>4.7.0</spotbugs.version>
     <spotbugs-maven-plugin.version>4.7.0.0</spotbugs-maven-plugin.version>
     <system-rules.version>1.19.0</system-rules.version>