From f312c12c99a5c3a270e4c75a4e48ae5725e4b3e2 Mon Sep 17 00:00:00 2001
From: sundapeng <sundapeng_yewu@cmss.chinamobile.com>
Date: Mon, 4 Dec 2023 11:42:12 +0000
Subject: [PATCH] resolve CVE-2023-26048

---
 0008-CVE-2023-26048.patch | 105 ++++++++++++++++++++++++++++++++++++++
 pulsar.spec               |   7 ++-
 2 files changed, 111 insertions(+), 1 deletion(-)
 create mode 100644 0008-CVE-2023-26048.patch

diff --git a/0008-CVE-2023-26048.patch b/0008-CVE-2023-26048.patch
new file mode 100644
index 0000000..f884178
--- /dev/null
+++ b/0008-CVE-2023-26048.patch
@@ -0,0 +1,105 @@
+diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
+index 996cb16751..87c54acbe3 100644
+--- a/distribution/server/src/assemble/LICENSE.bin.txt
++++ b/distribution/server/src/assemble/LICENSE.bin.txt
+@@ -433,25 +433,25 @@ The Apache Software License, Version 2.0
+     - org.asynchttpclient-async-http-client-2.12.1.jar
+     - org.asynchttpclient-async-http-client-netty-utils-2.12.1.jar
+  * Jetty
+-    - org.eclipse.jetty-jetty-client-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-continuation-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-http-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-io-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-proxy-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-security-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-server-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-servlet-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-servlets-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-util-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-util-ajax-9.4.48.v20220622.jar
+-    - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.48.v20220622.jar
+-    - org.eclipse.jetty.websocket-websocket-api-9.4.48.v20220622.jar
+-    - org.eclipse.jetty.websocket-websocket-client-9.4.48.v20220622.jar
+-    - org.eclipse.jetty.websocket-websocket-common-9.4.48.v20220622.jar
+-    - org.eclipse.jetty.websocket-websocket-server-9.4.48.v20220622.jar
+-    - org.eclipse.jetty.websocket-websocket-servlet-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.48.v20220622.jar
+-    - org.eclipse.jetty-jetty-alpn-server-9.4.48.v20220622.jar
++    - org.eclipse.jetty-jetty-client-9.4.51.v20230217.jar
++    - org.eclipse.jetty-jetty-continuation-9.4.51.v20230217.jar
++    - org.eclipse.jetty-jetty-http-9.4.51.v20230217.jar
++    - org.eclipse.jetty-jetty-io-9.4.51.v20230217.jar
++    - org.eclipse.jetty-jetty-proxy-9.4.51.v20230217.jar
++    - org.eclipse.jetty-jetty-security-9.4.51.v20230217.jar
++    - org.eclipse.jetty-jetty-server-9.4.51.v20230217.jar
++    - org.eclipse.jetty-jetty-servlet-9.4.51.v20230217.jar
++    - org.eclipse.jetty-jetty-servlets-9.4.51.v20230217.jar
++    - org.eclipse.jetty-jetty-util-9.4.51.v20230217.jar
++    - org.eclipse.jetty-jetty-util-ajax-9.4.51.v20230217.jar
++    - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.51.v20230217.jar
++    - org.eclipse.jetty.websocket-websocket-api-9.4.51.v20230217.jar
++    - org.eclipse.jetty.websocket-websocket-client-9.4.51.v20230217.jar
++    - org.eclipse.jetty.websocket-websocket-common-9.4.51.v20230217.jar
++    - org.eclipse.jetty.websocket-websocket-server-9.4.51.v20230217.jar
++    - org.eclipse.jetty.websocket-websocket-servlet-9.4.51.v20230217.jar
++    - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.51.v20230217.jar
++    - org.eclipse.jetty-jetty-alpn-server-9.4.51.v20230217.jar
+  * SnakeYaml -- org.yaml-snakeyaml-1.32.jar
+  * RocksDB - org.rocksdb-rocksdbjni-6.10.2.jar
+  * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.5.1.jar
+diff --git a/pom.xml b/pom.xml
+index 81cf8b6b7c..52c1e587ad 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -112,7 +112,7 @@ flexible messaging model and an intuitive client API.</description>
+     <curator.version>5.1.0</curator.version>
+     <netty.version>4.1.93.Final</netty.version>
+     <netty-iouring.version>0.0.21.Final</netty-iouring.version>
+-    <jetty.version>9.4.48.v20220622</jetty.version>
++    <jetty.version>9.4.51.v20230217</jetty.version>
+     <conscrypt.version>2.5.2</conscrypt.version>
+     <jersey.version>2.34</jersey.version>
+     <athenz.version>1.10.50</athenz.version>
+diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
+index 8716eec69c..636fb61db9 100644
+--- a/pulsar-sql/presto-distribution/LICENSE
++++ b/pulsar-sql/presto-distribution/LICENSE
+@@ -274,22 +274,22 @@ The Apache Software License, Version 2.0
+     - joda-time-2.10.5.jar
+     - failsafe-2.4.4.jar
+   * Jetty
+-    - http2-client-9.4.48.v20220622.jar
+-    - http2-common-9.4.48.v20220622.jar
+-    - http2-hpack-9.4.48.v20220622.jar
+-    - http2-http-client-transport-9.4.48.v20220622.jar
+-    - jetty-alpn-client-9.4.48.v20220622.jar
+-    - http2-server-9.4.48.v20220622.jar
+-    - jetty-alpn-java-client-9.4.48.v20220622.jar
+-    - jetty-client-9.4.48.v20220622.jar
+-    - jetty-http-9.4.48.v20220622.jar
+-    - jetty-io-9.4.48.v20220622.jar
+-    - jetty-jmx-9.4.48.v20220622.jar
+-    - jetty-security-9.4.48.v20220622.jar
+-    - jetty-server-9.4.48.v20220622.jar
+-    - jetty-servlet-9.4.48.v20220622.jar
+-    - jetty-util-9.4.48.v20220622.jar
+-    - jetty-util-ajax-9.4.48.v20220622.jar
++    - http2-client-9.4.51.v20230217.jar
++    - http2-common-9.4.51.v20230217.jar
++    - http2-hpack-9.4.51.v20230217.jar
++    - http2-http-client-transport-9.4.51.v20230217.jar
++    - jetty-alpn-client-9.4.51.v20230217.jar
++    - http2-server-9.4.51.v20230217.jar
++    - jetty-alpn-java-client-9.4.51.v20230217.jar
++    - jetty-client-9.4.51.v20230217.jar
++    - jetty-http-9.4.51.v20230217.jar
++    - jetty-io-9.4.51.v20230217.jar
++    - jetty-jmx-9.4.51.v20230217.jar
++    - jetty-security-9.4.51.v20230217.jar
++    - jetty-server-9.4.51.v20230217.jar
++    - jetty-servlet-9.4.51.v20230217.jar
++    - jetty-util-9.4.51.v20230217.jar
++    - jetty-util-ajax-9.4.51.v20230217.jar
+   * Apache BVal
+     - bval-jsr-2.0.0.jar
+   * Bytecode
diff --git a/pulsar.spec b/pulsar.spec
index 4420116..3b1f8d1 100644
--- a/pulsar.spec
+++ b/pulsar.spec
@@ -1,6 +1,6 @@
 %define debug_package %{nil}
 %define pulsar_ver 2.10.4
-%define pkg_ver 7
+%define pkg_ver 8
 %define _prefix /opt/pulsar
 Summary: Cloud-Native, Distributed Messaging and Streaming
 Name: pulsar
@@ -17,6 +17,7 @@ Patch0004: 0004-netty-to-4.1.89.patch
 Patch0005: 0005-cve-2023-34455.patch
 Patch0006: 0006-fix-memory-leak.patch
 Patch0007: 0007-CVE-2022-1471.patch
+Patch0008: 0008-CVE-2023-26048.patch
 BuildRoot: /root/rpmbuild/BUILDROOT/
 BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
 Requires: java-1.8.0-openjdk,systemd
@@ -35,6 +36,8 @@ Pulsar is a distributed pub-sub messaging platform with a very flexible messagin
 %patch0004 -p1
 %patch0005 -p1
 %patch0006 -p1
+%patch0007 -p1
+%patch0008 -p1
 
 %build
 mvn clean install -Pcore-modules,-main -DskipTests
@@ -60,6 +63,8 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu
 exit 0
 
 %changelog
+* Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-8
+- resolve cve-2023-26048
 * Mon Dec 4 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-7
 - resolve cve-2022-1471
 * Fri Dec 1 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-6
-- 
Gitee