This is an automated email from the ASF dual-hosted git repository. jackietien pushed a commit to branch rc/1.3.6 in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit 19885eafa2b63361e4196786f109092725d855fa Author: Haonan <[email protected]> AuthorDate: Sun Dec 14 09:19:38 2025 +0800 [To dev/1.3] Cherry-pick some CVE fixes (#16901) * Bump logback version to 1.3.16 (#16671) * Switch to at.yawk.lz4:lz4-java:1.10.0 (#16871) * Upgrade netty and reactor (#16362) * fix netty version * Fix some dependency issues * Fix build error * Bump at.yawk.lz4:lz4-java from 1.10.0 to 1.10.1 (#16874) Bumps [at.yawk.lz4:lz4-java](https://github.com/yawkat/lz4-java) from 1.10.0 to 1.10.1. - [Release notes](https://github.com/yawkat/lz4-java/releases) - [Changelog](https://github.com/yawkat/lz4-java/blob/main/CHANGES.md) - [Commits](https://github.com/yawkat/lz4-java/compare/v1.10.0...v1.10.1) --- updated-dependencies: - dependency-name: at.yawk.lz4:lz4-java dependency-version: 1.10.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix error * fix error * fix compile error --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- LICENSE-binary | 63 +++++++++++----------- NOTICE | 2 +- NOTICE-binary | 2 +- iotdb-core/datanode/pom.xml | 4 -- .../protocol/thrift/impl/ClientRPCServiceImpl.java | 3 +- .../iotdb/db/utils/datastructure/TVList.java | 2 +- .../db/auth/role/LocalFileRoleManagerTest.java | 15 +++--- iotdb-core/metrics/interface/pom.xml | 1 - .../commons/auth/authorizer/OpenIdAuthorizer.java | 10 ++-- pom.xml | 28 ++++++---- 10 files changed, 65 insertions(+), 65 deletions(-) diff --git a/LICENSE-binary b/LICENSE-binary index c088b00d7f3..a7df19a1bf4 100644 --- a/LICENSE-binary +++ b/LICENSE-binary @@ -213,33 +213,33 @@ conditions of the following licenses. The binary distribution of this product bundles these dependencies under the following license. See licenses/ for text of these licenses. -Apache Software Foundation License 2.0 +Apache License 2.0 -------------------------------------- commons-cli:commons-cli:1.5.0 commons-codec:commons-codec:1.16.1 org.apache.commons:commons-collections4:4.4 commons-io:commons-io:2.14.0 -org.apache.commons:commons-lang3:3.13.0 +org.apache.commons:commons-lang3:3.18.0 com.nimbusds:content-type:2.2 -com.google.code.gson:gson:2.10.1 +com.google.code.gson:gson:2.13.1 com.google.guava.guava:32.1.2-jre -com.fasterxml.jackson.core:jackson-annotations:2.15.4 -com.fasterxml.jackson.core:jackson-core:2.15.4 -com.fasterxml.jackson.core:jackson-databind:2.15.4 +com.fasterxml.jackson.core:jackson-annotations:2.16.2 +com.fasterxml.jackson.core:jackson-core:2.16.2 +com.fasterxml.jackson.core:jackson-databind:2.16.2 jakarta.inject:jakarta.inject:2.6.1 -org.lz4:lz4-java:1.8.0 +at.yawk.lz4:lz4-java:1.10.0 com.github.stephenc.jcip:jcip-annotations:1.0-1 com.github.ben-manes.caffeine:caffeine:2.9.3 -org.eclipse.jetty:jetty-http:9.4.56.v20240826 -org.eclipse.jetty:jetty-io:9.4.56.v20240826 -org.eclipse.jetty:jetty-security:9.4.56.v20240826 -org.eclipse.jetty:jetty-server:9.4.56.v20240826 -org.eclipse.jetty:jetty-servlet:9.4.56.v20240826 -org.eclipse.jetty:jetty-util:9.4.56.v20240826 -io.jsonwebtoken:jjwt-api:0.11.5 -io.jsonwebtoken:jjwt-impl:0.11.5 -io.jsonwebtoken:jjwt-jackson:0.11.5 -net.minidev:json-smart:2.5.0 +org.eclipse.jetty:jetty-http:9.4.57.v20241219 +org.eclipse.jetty:jetty-io:9.4.57.v20241219 +org.eclipse.jetty:jetty-security:9.4.57.v20241219 +org.eclipse.jetty:jetty-server:9.4.57.v20241219 +org.eclipse.jetty:jetty-servlet:9.4.57.v20241219 +org.eclipse.jetty:jetty-util:9.4.57.v20241219 +io.jsonwebtoken:jjwt-api:0.12.7 +io.jsonwebtoken:jjwt-impl:0.12.7 +io.jsonwebtoken:jjwt-jackson:0.12.7 +net.minidev:json-smart:2.5.2 com.google.code.findbugs:jsr305:3.0.2 com.nimbusds:lang-tag:1.7 com.librato.metrics:librato-java:2.1.0 @@ -247,18 +247,19 @@ org.apache.thrift:libthrift:0.14.1 io.dropwizard.metrics:metrics-core:4.2.19 io.dropwizard.metrics:metrics-jvm:3.2.2 com.librato.metrics:metrics-librato:5.1.0 -de.fraunhofer.iosb.io.moquette:moquette-broker:0.17 -io.netty:netty-buffer:4.1.110.Final -io.netty:netty-codec:4.1.110.Final -io.netty:netty-codec-http:4.1.110.Final -io.netty:netty-codec-mqtt:4.1.110.Final -io.netty:netty-common:4.1.110.Final -io.netty:netty-handler:4.1.110.Final -io.netty:netty-resolver:4.1.110.Final -io.netty:netty-transport:4.1.110.Final -io.netty:netty-transport-native-epoll:4.1.110.Final:linux-x86_64 -io.netty:netty-transport-native-unix-common:4.1.110.Final -com.nimbusds:nimbus-jose-jwt:9.37.3 +com.github.moquette-io.moquette:moquette-broker:0.18 +io.netty:netty-buffer:4.1.126.Final +io.netty:netty-codec:4.1.126.Final +io.netty:netty-codec-http:4.1.126.Final +io.netty:netty-codec-mqtt:4.1.126.Final +io.netty:netty-common:4.1.126.Final +io.netty:netty-handler:4.1.126.Final +io.netty:netty-resolver:4.1.126.Final +io.netty:netty-transport:4.1.126.Final +io.netty:netty-transport-native-epoll:4.1.126.Final:linux-aarch_64 +io.netty:netty-transport-native-epoll:4.1.126.Final:linux-x86_64 +io.netty:netty-transport-native-unix-common:4.1.126.Final +com.nimbusds:nimbus-jose-jwt:9.37.4 com.nimbusds:oauth2-oidc-sdk:10.15 org.osgi:org.osgi.core:7.0.0 org.osgi:osgi.cmpn:7.0.0 @@ -289,8 +290,8 @@ com.bugsnag:bugsnag:3.7.2 EPL 1.0 ------------ com.h2database:h2-mvstore:2.1.212 -ch.qos.logback:logback-classic:1.3.14 -ch.qos.logback:logback-core:1.3.14 +ch.qos.logback:logback-classic:1.3.15 +ch.qos.logback:logback-core:1.3.15 CDDL 1.1 diff --git a/NOTICE b/NOTICE index 1e81e8bc0db..fa52a36987f 100644 --- a/NOTICE +++ b/NOTICE @@ -1,5 +1,5 @@ Apache IoTDB -Copyright 2018-2024 The Apache Software Foundation. +Copyright 2018-2025 The Apache Software Foundation. This product includes software developed at The Apache Software Foundation (http://www.apache.org/). diff --git a/NOTICE-binary b/NOTICE-binary index 1e81e8bc0db..fa52a36987f 100644 --- a/NOTICE-binary +++ b/NOTICE-binary @@ -1,5 +1,5 @@ Apache IoTDB -Copyright 2018-2024 The Apache Software Foundation. +Copyright 2018-2025 The Apache Software Foundation. This product includes software developed at The Apache Software Foundation (http://www.apache.org/). diff --git a/iotdb-core/datanode/pom.xml b/iotdb-core/datanode/pom.xml index b97a532249a..21e1114917e 100644 --- a/iotdb-core/datanode/pom.xml +++ b/iotdb-core/datanode/pom.xml @@ -173,10 +173,6 @@ <groupId>net.java.dev.jna</groupId> <artifactId>jna-platform</artifactId> </dependency> - <dependency> - <groupId>io.jsonwebtoken</groupId> - <artifactId>jjwt-api</artifactId> - </dependency> <dependency> <groupId>org.eclipse.milo</groupId> <artifactId>stack-core</artifactId> diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java index 3e1d68ac3f3..e68f3882466 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java @@ -171,7 +171,6 @@ import org.apache.iotdb.service.rpc.thrift.TSyncIdentityInfo; import org.apache.iotdb.service.rpc.thrift.TSyncTransportMetaInfo; import io.airlift.units.Duration; -import io.jsonwebtoken.lang.Strings; import org.apache.commons.lang3.StringUtils; import org.apache.thrift.TException; import org.apache.tsfile.block.column.Column; @@ -1139,7 +1138,7 @@ public class ClientRPCServiceImpl implements IClientRPCServiceWithHandler { String database = req.getDatabase(); if (StringUtils.isEmpty(database)) { - String[] splits = Strings.split(req.getDevice(), "\\."); + String[] splits = req.getDevice().split("\\."); database = String.format("%s.%s", splits[0], splits[1]); } String deviceId = req.getDevice(); diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/utils/datastructure/TVList.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/utils/datastructure/TVList.java index 8fa7925bc3c..fedc3830ad8 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/utils/datastructure/TVList.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/utils/datastructure/TVList.java @@ -964,7 +964,7 @@ public abstract class TVList implements WALEntryValue { TSDataType dataType = getDataType(); int maxRowCountOfCurrentBatch = Math.min( - paginationController.hasLimit() + paginationController.hasSetLimit() ? (int) paginationController.getCurLimit() : Integer.MAX_VALUE, Math.min(maxNumberOfPointsInPage, rows - index)); diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java index b838ae25a96..29b7e41a004 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java @@ -30,7 +30,6 @@ import org.apache.iotdb.commons.utils.AuthUtils; import org.apache.iotdb.db.utils.EnvironmentUtils; import org.apache.iotdb.db.utils.constant.TestConstant; -import io.jsonwebtoken.lang.Assert; import org.apache.commons.io.FileUtils; import org.junit.After; import org.junit.Before; @@ -171,8 +170,8 @@ public class LocalFileRoleManagerTest { } } } - Assert.isTrue(manager.getRole("test").getPathPrivilegeList().size() == 4); - Assert.isTrue(!manager.getRole("test").getServiceReady()); + assertEquals(4, manager.getRole("test").getPathPrivilegeList().size()); + assertFalse(manager.getRole("test").getServiceReady()); manager.checkAndRefreshPathPri(); // after refresh. we will have three path: @@ -217,17 +216,17 @@ public class LocalFileRoleManagerTest { PartialPath path2 = new PartialPath("root.d.a"); for (PrivilegeType pri : item.getSubPri()) { if (pri.isPathRelevant()) { - Assert.isTrue(manager.getRole("test").checkPathPrivilege(path1, pri.ordinal())); - Assert.isTrue(manager.getRole("test").checkPathPrivilege(path2, pri.ordinal())); + assertTrue(manager.getRole("test").checkPathPrivilege(path1, pri.ordinal())); + assertTrue(manager.getRole("test").checkPathPrivilege(path2, pri.ordinal())); manager.getRole("test").removePathPrivilege(path1, pri.ordinal()); manager.getRole("test").removePathPrivilege(path2, pri.ordinal()); } else { - Assert.isTrue(manager.getRole("test").checkSysPrivilege(pri.ordinal())); + assertTrue(manager.getRole("test").checkSysPrivilege(pri.ordinal())); manager.getRole("test").removeSysPrivilege(pri.ordinal()); } } - Assert.isTrue(manager.getRole("test").getPathPrivilegeList().isEmpty()); - Assert.isTrue(manager.getRole("test").getSysPrivilege().isEmpty()); + assertTrue(manager.getRole("test").getPathPrivilegeList().isEmpty()); + assertTrue(manager.getRole("test").getSysPrivilege().isEmpty()); } } } diff --git a/iotdb-core/metrics/interface/pom.xml b/iotdb-core/metrics/interface/pom.xml index 3512c582e6e..8dd39de5408 100644 --- a/iotdb-core/metrics/interface/pom.xml +++ b/iotdb-core/metrics/interface/pom.xml @@ -82,7 +82,6 @@ <dependency> <groupId>io.netty</groupId> <artifactId>netty-codec-http</artifactId> - <version>4.1.119.Final</version> </dependency> <dependency> <groupId>org.reactivestreams</groupId> diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java index 7bc7e7a4f8c..87c0e449dab 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java @@ -194,11 +194,11 @@ public class OpenIdAuthorizer extends BasicAuthorizer { private Claims validateToken(String token) { return Jwts.parser() // Basically ignore the Expiration Date, if there is any??? - .setAllowedClockSkewSeconds(Long.MAX_VALUE / 1000) - // .setSigningKey(DatatypeConverter.parseBase64Binary(secret)) - .setSigningKey(providerKey) - .parseClaimsJws(token) - .getBody(); + .clockSkewSeconds(Long.MAX_VALUE / 1000) + .verifyWith(providerKey) + .build() + .parseSignedClaims(token) + .getPayload(); } private String getUsername(Claims claims) { diff --git a/pom.xml b/pom.xml index e4dd455063c..f6485d1cae7 100644 --- a/pom.xml +++ b/pom.xml @@ -60,6 +60,7 @@ <argLine/> <awaitility.version>4.2.0</awaitility.version> <boost.include.dir/> + <bouncycastle.version>1.81</bouncycastle.version> <!-- This was the last version to support Java 8 --> <caffeine.version>2.9.3</caffeine.version> <cglib.version>3.3.0</cglib.version> @@ -86,7 +87,7 @@ <fusesource-mqtt-client.version>1.16</fusesource-mqtt-client.version> <!-- JDK1.8 only support google java format 1.7--> <google.java.format.version>1.22.0</google.java.format.version> - <gson.version>2.10.1</gson.version> + <gson.version>2.13.1</gson.version> <guava.version>32.1.2-jre</guava.version> <!-- This was the last version to support Java 8 --> <h2.version>2.2.224</h2.version> @@ -110,15 +111,15 @@ <jersey.version>2.40</jersey.version> <!-- This was the last version to support Java 8 --> <jetty.version>9.4.57.v20241219</jetty.version> - <jjwt.version>0.11.5</jjwt.version> + <jjwt.version>0.12.7</jjwt.version> <jline.version>3.26.2</jline.version> <jna.version>5.14.0</jna.version> <json-smart.version>2.5.2</json-smart.version> <jtransforms.version>3.1</jtransforms.version> <junit.version>4.13.2</junit.version> <!-- This was the last version to support Java 8 --> - <logback.version>1.3.15</logback.version> - <lz4-java.version>1.8.0</lz4-java.version> + <logback.version>1.3.16</logback.version> + <lz4-java.version>1.10.1</lz4-java.version> <maven.assembly.version>3.6.0</maven.assembly.version> <maven.compiler.source>1.8</maven.compiler.source> <maven.compiler.target>1.8</maven.compiler.target> @@ -129,8 +130,8 @@ <!-- This was the last version to support Java 8 --> <!--mockito.version>4.11.0</mockito.version--> <moquette.version>0.18.0</moquette.version> - <netty.version>4.1.115.Final</netty.version> - <nimbus-jose-jwt.version>9.37.3</nimbus-jose-jwt.version> + <netty.version>4.1.126.Final</netty.version> + <nimbus-jose-jwt.version>9.37.4</nimbus-jose-jwt.version> <oauth2-oidc-sdk.version>10.15</oauth2-oidc-sdk.version> <!-- This was the last version to support Java 8 --> <openapi.generator.version>6.6.0</openapi.generator.version> @@ -146,8 +147,8 @@ --> <ratis.version>3.2.1</ratis.version> <reactive-streams.version>1.0.4</reactive-streams.version> - <reactor-netty.version>1.1.20</reactor-netty.version> - <reactor.version>3.5.18</reactor.version> + <reactor-netty.version>1.2.9</reactor-netty.version> + <reactor.version>3.7.9</reactor.version> <reflections.version>0.10.2</reflections.version> <slf4j.version>2.0.9</slf4j.version> <snappy-java.version>1.1.10.5</snappy-java.version> @@ -175,7 +176,7 @@ <thrift.version>0.14.1</thrift.version> <xz.version>1.9</xz.version> <zstd-jni.version>1.5.6-3</zstd-jni.version> - <tsfile.version>1.1.3-251028-SNAPSHOT</tsfile.version> + <tsfile.version>1.1.3-251212-SNAPSHOT</tsfile.version> </properties> <!-- if we claim dependencies in dependencyManagement, then we do not claim @@ -311,13 +312,18 @@ <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk18on</artifactId> - <version>1.78</version> + <version>${bouncycastle.version}</version> </dependency> <dependency> <groupId>commons-io</groupId> <artifactId>commons-io</artifactId> <version>${commons-io.version}</version> </dependency> + <dependency> + <groupId>org.apache.tsfile</groupId> + <artifactId>tsfile</artifactId> + <version>${tsfile.version}</version> + </dependency> <dependency> <groupId>org.apache.ratis</groupId> <artifactId>ratis-server</artifactId> @@ -509,7 +515,7 @@ <version>${zstd-jni.version}</version> </dependency> <dependency> - <groupId>org.lz4</groupId> + <groupId>at.yawk.lz4</groupId> <artifactId>lz4-java</artifactId> <version>${lz4-java.version}</version> </dependency>
