(paimon) branch release-0.8 updated: [SECURITY] Upgrade protobuf-java and commons-compress version to fix CVE (#3436)

Fri, 31 May 2024 01:47:03 -0700 

This is an automated email from the ASF dual-hosted git repository.

junhao pushed a commit to branch release-0.8
in repository https://gitbox.apache.org/repos/asf/paimon.git


The following commit(s) were added to refs/heads/release-0.8 by this push:
     new a3937a19a [SECURITY] Upgrade protobuf-java and commons-compress 
version to fix CVE (#3436)
a3937a19a is described below

commit a3937a19a29dcac64a17cb7a33c2583e96675f7f
Author: Jiao Mingye <35512473+mxdzs0...@users.noreply.github.com>
AuthorDate: Fri May 31 11:09:47 2024 +0800

    [SECURITY] Upgrade protobuf-java and commons-compress version to fix CVE 
(#3436)
---
 paimon-format/pom.xml                            | 6 +++++-
 paimon-format/src/main/resources/META-INF/NOTICE | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/paimon-format/pom.xml b/paimon-format/pom.xml
index 1b38aad99..9f3e2dc32 100644
--- a/paimon-format/pom.xml
+++ b/paimon-format/pom.xml
@@ -39,7 +39,7 @@ under the License.
         <commons.lang3.version>3.12.0</commons.lang3.version>
         <zstd-jni.version>1.5.5-11</zstd-jni.version>
         <storage-api.version>2.8.1</storage-api.version>
-        <protobuf-java.version>3.17.3</protobuf-java.version>
+        <protobuf-java.version>3.19.6</protobuf-java.version>
     </properties>
 
     <dependencies>
@@ -89,6 +89,10 @@ under the License.
                     <groupId>com.google.protobuf</groupId>
                     <artifactId>protobuf-java</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-compress</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
 
diff --git a/paimon-format/src/main/resources/META-INF/NOTICE 
b/paimon-format/src/main/resources/META-INF/NOTICE
index dae8d5fec..1b1a0a0b2 100644
--- a/paimon-format/src/main/resources/META-INF/NOTICE
+++ b/paimon-format/src/main/resources/META-INF/NOTICE
@@ -17,7 +17,7 @@ This project bundles the following dependencies under the 
Apache Software Licens
 - com.fasterxml.jackson.core:jackson-core:2.14.2
 - com.fasterxml.jackson.core:jackson-databind:2.14.2
 - com.fasterxml.jackson.core:jackson-annotations:2.14.2
-- org.apache.commons:commons-compress:1.4.1
+- org.apache.commons:commons-compress:1.22
 
 - org.apache.parquet:parquet-hadoop:1.13.1
 - org.apache.parquet:parquet-column:1.13.1
@@ -31,6 +31,6 @@ This project bundles the following dependencies under the BSD 
license.
 You find it under licenses/LICENSE.protobuf, licenses/LICENSE.zstd-jni
 and licenses/LICENSE.threeten-extra
 
-- com.google.protobuf:protobuf-java:3.17.3
+- com.google.protobuf:protobuf-java:3.19.6
 - com.github.luben:zstd-jni:1.5.5-11
 - org.threeten:threeten-extra:1.7.1

Reply via email to