(paimon) branch master updated: [SECURITY] Upgrade protobuf-java and commons-compress version to fix CVE (#3436)

Thu, 30 May 2024 20:10:49 -0700 

This is an automated email from the ASF dual-hosted git repository.

lzljs3620320 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/paimon.git


The following commit(s) were added to refs/heads/master by this push:
     new 29de6ddb3 [SECURITY] Upgrade protobuf-java and commons-compress 
version to fix CVE (#3436)
29de6ddb3 is described below

commit 29de6ddb3e52cad217660ba777134db74828738c
Author: Jiao Mingye <[email protected]>
AuthorDate: Fri May 31 11:09:47 2024 +0800

    [SECURITY] Upgrade protobuf-java and commons-compress version to fix CVE 
(#3436)
---
 paimon-format/pom.xml                            | 6 +++++-
 paimon-format/src/main/resources/META-INF/NOTICE | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/paimon-format/pom.xml b/paimon-format/pom.xml
index b28ca797b..7fe38b287 100644
--- a/paimon-format/pom.xml
+++ b/paimon-format/pom.xml
@@ -39,7 +39,7 @@ under the License.
         <commons.lang3.version>3.12.0</commons.lang3.version>
         <zstd-jni.version>1.5.5-11</zstd-jni.version>
         <storage-api.version>2.8.1</storage-api.version>
-        <protobuf-java.version>3.17.3</protobuf-java.version>
+        <protobuf-java.version>3.19.6</protobuf-java.version>
     </properties>
 
     <dependencies>
@@ -89,6 +89,10 @@ under the License.
                     <groupId>com.google.protobuf</groupId>
                     <artifactId>protobuf-java</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-compress</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
 
diff --git a/paimon-format/src/main/resources/META-INF/NOTICE 
b/paimon-format/src/main/resources/META-INF/NOTICE
index dae8d5fec..1b1a0a0b2 100644
--- a/paimon-format/src/main/resources/META-INF/NOTICE
+++ b/paimon-format/src/main/resources/META-INF/NOTICE
@@ -17,7 +17,7 @@ This project bundles the following dependencies under the 
Apache Software Licens
 - com.fasterxml.jackson.core:jackson-core:2.14.2
 - com.fasterxml.jackson.core:jackson-databind:2.14.2
 - com.fasterxml.jackson.core:jackson-annotations:2.14.2
-- org.apache.commons:commons-compress:1.4.1
+- org.apache.commons:commons-compress:1.22
 
 - org.apache.parquet:parquet-hadoop:1.13.1
 - org.apache.parquet:parquet-column:1.13.1
@@ -31,6 +31,6 @@ This project bundles the following dependencies under the BSD 
license.
 You find it under licenses/LICENSE.protobuf, licenses/LICENSE.zstd-jni
 and licenses/LICENSE.threeten-extra
 
-- com.google.protobuf:protobuf-java:3.17.3
+- com.google.protobuf:protobuf-java:3.19.6
 - com.github.luben:zstd-jni:1.5.5-11
 - org.threeten:threeten-extra:1.7.1

Reply via email to