You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by pe...@apache.org on 2022/02/10 04:04:26 UTC
[pulsar] 03/13: Updated dependencies to get rid of pulsar-io/jdbc related CVE-2020-13692 (#13753)
This is an automated email from the ASF dual-hosted git repository.
penghui pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit e2c94b8976ecaf6582684cde1584a81c80ef7abd
Author: Andrey Yegorov <86...@users.noreply.github.com>
AuthorDate: Sun Jan 16 09:48:59 2022 -0800
Updated dependencies to get rid of pulsar-io/jdbc related CVE-2020-13692 (#13753)
* Updated dependencies to get rid of pulsar-io/jdbc related CVE-2020-13692
Also upgraded clickhouse lib and suppressed wrongly detected clickhouse
CVEs (client lib matched to server CVEs)
* CR feedback
(cherry picked from commit 8214da86b2bd2213a7d97e1d174e8d4e53c1b669)
---
pom.xml | 4 +-
src/owasp-dependency-check-suppressions.xml | 74 ++++++++++++++++++++++++++++-
2 files changed, 75 insertions(+), 3 deletions(-)
diff --git a/pom.xml b/pom.xml
index 41ef32b..76cf36d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -148,8 +148,8 @@ flexible messaging model and an intuitive client API.</description>
<jclouds.version>2.3.0</jclouds.version>
<sqlite-jdbc.version>3.8.11.2</sqlite-jdbc.version>
<mysql-jdbc.version>8.0.11</mysql-jdbc.version>
- <postgresql-jdbc.version>42.2.12</postgresql-jdbc.version>
- <clickhouse-jdbc.version>0.2.4</clickhouse-jdbc.version>
+ <postgresql-jdbc.version>42.2.24</postgresql-jdbc.version>
+ <clickhouse-jdbc.version>0.3.2</clickhouse-jdbc.version>
<mariadb-jdbc.version>2.6.0</mariadb-jdbc.version>
<hdfs-offload-version3>3.3.0</hdfs-offload-version3>
<elasticsearch.version>7.9.1</elasticsearch.version>
diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
index 139365d..838e142 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -41,4 +41,76 @@
<gav regex="true">org\.apache\.zookeeper:.*:3\.6\.2</gav>
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
-</suppressions>
\ No newline at end of file
+
+ <!-- clickhouse: security scan matches client lib to the server CVEs -->
+ <suppress>
+ <notes><![CDATA[
+ file name: avro-1.10.2.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
+ <cve>CVE-2021-43045</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: clickhouse-jdbc-0.3.2.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+ <cve>CVE-2018-14668</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: clickhouse-jdbc-0.3.2.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+ <cve>CVE-2018-14669</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: clickhouse-jdbc-0.3.2.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+ <cve>CVE-2018-14670</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: clickhouse-jdbc-0.3.2.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+ <cve>CVE-2018-14671</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: clickhouse-jdbc-0.3.2.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+ <cve>CVE-2018-14672</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: clickhouse-jdbc-0.3.2.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+ <cve>CVE-2019-15024</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: clickhouse-jdbc-0.3.2.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+ <cve>CVE-2019-16535</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: clickhouse-jdbc-0.3.2.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+ <cve>CVE-2019-18657</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: clickhouse-jdbc-0.3.2.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+ <cve>CVE-2021-25263</cve>
+ </suppress>
+</suppressions>