You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/08/12 12:59:15 UTC
[GitHub] [pulsar] wolfstudy opened a new pull request #7801: Fix security vulnerabilities of Pulsar
wolfstudy opened a new pull request #7801:
URL: https://github.com/apache/pulsar/pull/7801
Signed-off-by: xiaolong.ran <rx...@apache.org>
### Motivation
Based on the scan results of `Black Duck`, we found that there are security vulnerabilities in the components currently used by pulsar, some are directly referenced by pulsar, and some are indirectly referenced by the pulsar.
### Modifications
- Remove `<test-hdfs-offload-jetty>9.3.24.v20180605</test-hdfs-offload-jetty>` because no one uses.
- **Upgrade netty version from `4.1.48.Final` to `4.1.51.Final`** (directly referenced)
Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
-- | -- | -- | -- | --
Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
- **Upgrade jetty version from `9.3.24.v20180605` to `9.4.31.v20200723`** (directly referenced)
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
-- | -- | -- | -- | --
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
- **Upgrade hbase version from `1.4.9` to `2.3.0`**(indirectly referenced)
Apache Tomcat | 5.5.23 | maven | CVE-2007-2449 | MEDIUM
-- | -- | -- | -- | --
Apache Tomcat | 5.5.23 | maven | CVE-2007-3382 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2007-3385 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2007-3386 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2007-5342 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2007-5333 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2007-6286 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2008-2370 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2008-2938 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-0781 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-0033 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-0580 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-0783 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2008-5515 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-2693 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-2901 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-2902 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2010-2227 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-2696 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2010-4476 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-0013 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-2526 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-3190 | HIGH
Apache Tomcat | 5.5.23 | maven | CVE-2011-4858 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-1184 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-5062 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-5063 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-5064 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2012-0022 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2012-5885 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2012-5886 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2012-5887 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2012-5568 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2012-3546 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2013-1976 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2013-6357 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2013-2185 | HIGH
Apache Tomcat | 5.5.23 | maven | CVE-2013-4286 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2013-4322 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2013-4590 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2014-0075 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2014-0096 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2014-0099 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2014-0119 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2013-4444 | MEDIUM
Apache Tomcat | 5.5.23 | maven | BDSA-2009-0001 (CVE-2009-3548) | HIGH
Apache Tomcat | 5.5.23 | maven | BDSA-2016-0056 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2020-8022 | HIGH
Apache Tomcat | 5.5.23 | maven | CVE-2007-2449 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2007-3382 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2007-3385 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2007-3386 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2007-5342 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2007-5333 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2007-6286 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2008-2370 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2008-2938 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-0781 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-0033 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-0580 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-0783 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2008-5515 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-2693 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-2901 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-2902 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2010-2227 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2009-2696 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2010-4476 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-0013 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-2526 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-3190 | HIGH
Apache Tomcat | 5.5.23 | maven | CVE-2011-4858 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-1184 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-5062 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-5063 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2011-5064 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2012-0022 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2012-5885 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2012-5886 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2012-5887 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2012-5568 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2012-3546 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2013-1976 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2013-6357 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2013-2185 | HIGH
Apache Tomcat | 5.5.23 | maven | CVE-2013-4286 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2013-4322 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2013-4590 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2014-0075 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2014-0096 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2014-0099 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2014-0119 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2013-4444 | MEDIUM
Apache Tomcat | 5.5.23 | maven | BDSA-2009-0001 (CVE-2009-3548) | HIGH
Apache Tomcat | 5.5.23 | maven | BDSA-2016-0056 | MEDIUM
Apache Tomcat | 5.5.23 | maven | CVE-2020-8022 | HIGH
and
Apache HttpClient | 3.1 | maven | CVE-2015-5262 | MEDIUM
-- | -- | -- | -- | --
Apache HttpClient | 3.1 | maven | BDSA-2012-0025 (CVE-2012-5783) | MEDIUM
Apache HttpClient | 3.1 | maven | BDSA-2014-0112 (CVE-2012-6153) | MEDIUM
- **Upgrade fastjson version from `1.2.28` to `1.2.73`**(directly referenced)
fastjson | 1.2.28 | maven | BDSA-2019-3073 | MEDIUM
-- | -- | -- | -- | --
fastjson | 1.2.28 | maven | BDSA-2019-3073 | MEDIUM
- **Upgrade canal.client version from `1.1.1` to `1.1.4`**
Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
-- | -- | -- | -- | --
Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
- **Upgrade solr version from `7.5.0` to `8.6.0`**(directly referenced)
apache lucene-solr | 7.5.0 | maven | BDSA-2018-4775 (CVE-2017-3164) | MEDIUM
-- | -- | -- | -- | --
apache lucene-solr | 7.5.0 | maven | BDSA-2019-2386 (CVE-2019-0193) | MEDIUM
apache lucene-solr | 7.5.0 | maven | BDSA-2019-3379 (CVE-2019-17558) | MEDIUM
- Upgrade `dep.airlift` version from `0.170` to `0.199` (indirectly referenced)
Apache Commons BeanUtils | 1.8.3 | maven | BDSA-2014-0001 (CVE-2014-0114) | MEDIUM
-- | -- | -- | -- | --
Apache Commons BeanUtils | 1.8.3 | maven | BDSA-2014-0129 (CVE-2019-10086) | MEDIUM
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] codelipenghui merged pull request #7801: Fix security vulnerabilities of Pulsar
Posted by GitBox <gi...@apache.org>.
codelipenghui merged pull request #7801:
URL: https://github.com/apache/pulsar/pull/7801
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] codelipenghui commented on pull request #7801: Fix security vulnerabilities of Pulsar
Posted by GitBox <gi...@apache.org>.
codelipenghui commented on pull request #7801:
URL: https://github.com/apache/pulsar/pull/7801#issuecomment-673165056
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org