You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by pe...@apache.org on 2022/02/10 04:04:26 UTC

[pulsar] 03/13: Updated dependencies to get rid of pulsar-io/jdbc related CVE-2020-13692 (#13753)

This is an automated email from the ASF dual-hosted git repository.

penghui pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/pulsar.git

commit e2c94b8976ecaf6582684cde1584a81c80ef7abd
Author: Andrey Yegorov <86...@users.noreply.github.com>
AuthorDate: Sun Jan 16 09:48:59 2022 -0800

    Updated dependencies to get rid of pulsar-io/jdbc related CVE-2020-13692 (#13753)
    
    * Updated dependencies to get rid of pulsar-io/jdbc related CVE-2020-13692
    
    Also upgraded clickhouse lib and suppressed wrongly detected clickhouse
    CVEs (client lib matched to server CVEs)
    
    * CR feedback
    
    (cherry picked from commit 8214da86b2bd2213a7d97e1d174e8d4e53c1b669)
---
 pom.xml                                     |  4 +-
 src/owasp-dependency-check-suppressions.xml | 74 ++++++++++++++++++++++++++++-
 2 files changed, 75 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index 41ef32b..76cf36d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -148,8 +148,8 @@ flexible messaging model and an intuitive client API.</description>
     <jclouds.version>2.3.0</jclouds.version>
     <sqlite-jdbc.version>3.8.11.2</sqlite-jdbc.version>
     <mysql-jdbc.version>8.0.11</mysql-jdbc.version>
-    <postgresql-jdbc.version>42.2.12</postgresql-jdbc.version>
-    <clickhouse-jdbc.version>0.2.4</clickhouse-jdbc.version>
+    <postgresql-jdbc.version>42.2.24</postgresql-jdbc.version>
+    <clickhouse-jdbc.version>0.3.2</clickhouse-jdbc.version>
     <mariadb-jdbc.version>2.6.0</mariadb-jdbc.version>
     <hdfs-offload-version3>3.3.0</hdfs-offload-version3>
     <elasticsearch.version>7.9.1</elasticsearch.version>
diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
index 139365d..838e142 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -41,4 +41,76 @@
     <gav regex="true">org\.apache\.zookeeper:.*:3\.6\.2</gav>
     <vulnerabilityName regex="true">.*</vulnerabilityName>
   </suppress>
-</suppressions>
\ No newline at end of file
+
+  <!-- clickhouse: security scan matches client lib to the server CVEs -->
+  <suppress>
+    <notes><![CDATA[
+    file name: avro-1.10.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
+    <cve>CVE-2021-43045</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2018-14668</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2018-14669</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2018-14670</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2018-14671</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2018-14672</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2019-15024</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2019-16535</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2019-18657</cve>
+  </suppress> 
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2021-25263</cve>
+  </suppress>
+</suppressions>