diff --git a/0005-cve-2023-34455.patch b/0005-cve-2023-34455.patch new file mode 100644 index 0000000000000000000000000000000000000000..9863ed1c9cbe0b6881a1dd669781a7cef3c30885 --- /dev/null +++ b/0005-cve-2023-34455.patch @@ -0,0 +1,39 @@ +diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt +index 1ce81c7344..ad93b3abef 100644 +--- a/distribution/server/src/assemble/LICENSE.bin.txt ++++ b/distribution/server/src/assemble/LICENSE.bin.txt +@@ -526,7 +526,7 @@ The Apache Software License, Version 2.0 + - org.apache.zookeeper-zookeeper-jute-3.6.3.jar + - org.apache.zookeeper-zookeeper-prometheus-metrics-3.6.3.jar + * Snappy Java +- - org.xerial.snappy-snappy-java-1.1.7.jar ++ - org.xerial.snappy-snappy-java-1.1.10.1.jar + * Google HTTP Client + - com.google.http-client-google-http-client-jackson2-1.41.0.jar + - com.google.http-client-google-http-client-gson-1.41.0.jar +diff --git a/pom.xml b/pom.xml +index 69adebd4df..6ac97ee8e6 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -107,7 +107,7 @@ flexible messaging model and an intuitive client API. + 4.14.7 + 3.6.3 + 1.5.0 +- 1.1.7 ++ 1.1.10.1 + 3.2.5 + 5.1.0 + 4.1.87.Final +diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE +index 4087b9e83e..434d65f990 100644 +--- a/pulsar-sql/presto-distribution/LICENSE ++++ b/pulsar-sql/presto-distribution/LICENSE +@@ -457,7 +457,7 @@ The Apache Software License, Version 2.0 + * GSON + - gson-2.8.9.jar + * Snappy +- - snappy-java-1.1.7.jar ++ - snappy-java-1.1.10.1.jar + * Jackson + - jackson-module-parameter-names-2.13.4.jar + * Java Assist diff --git a/pulsar.spec b/pulsar.spec index 5c77a6af518c019f5f8e789285a1adc9941a2d67..3dd940acffb3b32e1208e149ccabef64fa7c941e 100644 --- a/pulsar.spec +++ b/pulsar.spec @@ -1,6 +1,6 @@ %define debug_package %{nil} %define pulsar_ver 2.10.4 -%define pkg_ver 4 +%define pkg_ver 5 %define _prefix /opt/pulsar Summary: Cloud-Native, Distributed Messaging and Streaming Name: pulsar @@ -14,6 +14,7 @@ Patch0001: 0001-use-huawei-repository.patch Patch0002: 0002-resolve-cve-2023-32697.patch Patch0003: 0003-CVE-2023-2976.patch Patch0004: 0004-netty-to-4.1.89.patch +Patch0005: 0005-cve-2023-34455.patch BuildRoot: /root/rpmbuild/BUILDROOT/ BuildRequires: java-1.8.0-openjdk-devel,maven,systemd Requires: java-1.8.0-openjdk,systemd @@ -30,6 +31,7 @@ Pulsar is a distributed pub-sub messaging platform with a very flexible messagin %patch0002 -p1 %patch0003 -p1 %patch0004 -p1 +%patch0005 -p1 %build mvn clean install -Pcore-modules,-main -DskipTests @@ -55,6 +57,8 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu exit 0 %changelog +* Fri Dec 1 2023 Dapeng Sun - 2.10.4-5 +- resolve CVE-2023-34455 * Fri Dec 1 2023 Dapeng Sun - 2.10.4-4 - upgrade netty to 4.1.89 * Mon Nov 27 2023 Dapeng Sun - 2.10.4-3