(bookkeeper) 10/25: Upgrade protobuf to 3.25.5 to address CVE-2024-7254 (#4508)

Wed, 16 Apr 2025 07:52:07 -0700 

This is an automated email from the ASF dual-hosted git repository.

lhotari pushed a commit to branch branch-4.17
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git

commit ee60d6aaba187adcf7248f101e86a1115a438e12
Author: Lari Hotari <lhot...@users.noreply.github.com>
AuthorDate: Wed Sep 25 04:32:45 2024 +0300

    Upgrade protobuf to 3.25.5 to address CVE-2024-7254 (#4508)
    
    ### Motivation
    
    CVE-2024-7254
    
    ### Changes
    
    Upgrade protobuf to 3.25.5
    
    (cherry picked from commit 0229b5d7cfd93850f05a16f20172f0d39492672f)
---
 bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt    | 8 ++++----
 bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt  | 8 ++++----
 bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt | 8 ++++----
 pom.xml                                                   | 2 +-
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt 
b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
index 526430b3b8..a5f2333a6f 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
@@ -674,13 +674,13 @@ This product bundles Google Protocol Buffers, which is 
available under a "3-clau
 license.
 
 Bundled as
-  - lib/com.google.protobuf-protobuf-java-3.25.1.jar
-Source available at https://github.com/google/protobuf/tree/v3.25.1
+  - lib/com.google.protobuf-protobuf-java-3.25.5.jar
+Source available at https://github.com/google/protobuf/tree/v3.25.5
 For details, see deps/protobuf-3.14.0/LICENSE.
 
 Bundled as
-  - lib/com.google.protobuf-protobuf-java-util-3.25.1.jar
-Source available at https://github.com/protocolbuffers/protobuf/tree/v3.25.1
+  - lib/com.google.protobuf-protobuf-java-util-3.25.5.jar
+Source available at https://github.com/protocolbuffers/protobuf/tree/v3.25.5
 For details, see deps/protobuf-3.12.0/LICENSE.
 
------------------------------------------------------------------------------------
 This product bundles the JCP Standard Java Servlet API, which is available 
under a
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt 
b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
index 52ff8bd32f..325069339a 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
@@ -567,13 +567,13 @@ This product bundles Google Protocol Buffers, which is 
available under a "3-clau
 license.
 
 Bundled as
-  - lib/com.google.protobuf-protobuf-java-3.25.1.jar
-Source available at https://github.com/google/protobuf/tree/v3.25.1
+  - lib/com.google.protobuf-protobuf-java-3.25.5.jar
+Source available at https://github.com/google/protobuf/tree/v3.25.5
 For details, see deps/protobuf-3.14.0/LICENSE.
 
 Bundled as
-  - lib/com.google.protobuf-protobuf-java-util-3.25.1.jar
-Source available at https://github.com/protocolbuffers/protobuf/tree/v3.25.1
+  - lib/com.google.protobuf-protobuf-java-util-3.25.5.jar
+Source available at https://github.com/protocolbuffers/protobuf/tree/v3.25.5
 For details, see deps/protobuf-3.12.0/LICENSE.
 
------------------------------------------------------------------------------------
 This product bundles Simple Logging Facade for Java, which is available under a
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt 
b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
index 65521b155f..2086ac7d32 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
@@ -663,13 +663,13 @@ This product bundles Google Protocol Buffers, which is 
available under a "3-clau
 license.
 
 Bundled as
-  - lib/com.google.protobuf-protobuf-java-3.25.1.jar
-Source available at https://github.com/google/protobuf/tree/v3.25.1
+  - lib/com.google.protobuf-protobuf-java-3.25.5.jar
+Source available at https://github.com/google/protobuf/tree/v3.25.5
 For details, see deps/protobuf-3.14.0/LICENSE.
 
 Bundled as
-  - lib/com.google.protobuf-protobuf-java-util-3.25.1.jar
-Source available at https://github.com/protocolbuffers/protobuf/tree/v3.25.1
+  - lib/com.google.protobuf-protobuf-java-util-3.25.5.jar
+Source available at https://github.com/protocolbuffers/protobuf/tree/v3.25.5
 For details, see deps/protobuf-3.12.0/LICENSE.
 
------------------------------------------------------------------------------------
 This product bundles the JCP Standard Java Servlet API, which is available 
under a
diff --git a/pom.xml b/pom.xml
index 4c418cb18b..876b05e437 100644
--- a/pom.xml
+++ b/pom.xml
@@ -162,7 +162,7 @@
     <datasketches.version>0.8.3</datasketches.version>
     <httpclient.version>4.5.13</httpclient.version>
     <httpcore.version>4.4.15</httpcore.version>
-    <protobuf.version>3.25.1</protobuf.version>
+    <protobuf.version>3.25.5</protobuf.version>
     <protoc3.version>${protobuf.version}</protoc3.version>
     
<protoc-gen-grpc-java.version>${grpc.version}</protoc-gen-grpc-java.version>
     <reflections.version>0.9.11</reflections.version>

Reply via email to