[pulsar] 01/02: [Security] Use dependencyManagement to enforce snakeyaml version to 1.30 (#13722)

Tue, 12 Apr 2022 03:23:50 -0700 

This is an automated email from the ASF dual-hosted git repository.

penghui pushed a commit to branch branch-2.8
in repository https://gitbox.apache.org/repos/asf/pulsar.git

commit 8b66a17c603061ab92b69689f6c0807803fc18e5
Author: Lari Hotari <[email protected]>
AuthorDate: Wed Jan 12 17:03:17 2022 +0200

    [Security] Use dependencyManagement to enforce snakeyaml version to 1.30 
(#13722)
    
    - snakeyaml changelog https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes
    
    - Pulsar Offloaders contained vulnerable version 1.21
    
    (cherry picked from commit e5d828ac92f8102fc3c70d122b1270110757c591)
---
 distribution/server/src/assemble/LICENSE.bin.txt | 2 +-
 pom.xml                                          | 6 ++++++
 pulsar-sql/presto-distribution/LICENSE           | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/distribution/server/src/assemble/LICENSE.bin.txt 
b/distribution/server/src/assemble/LICENSE.bin.txt
index 42dfa316eb8..7e8f189dcc6 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -445,7 +445,7 @@ The Apache Software License, Version 2.0
     - org.eclipse.jetty.websocket-websocket-servlet-9.4.43.v20210629.jar
     - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.43.v20210629.jar
     - org.eclipse.jetty-jetty-alpn-server-9.4.43.v20210629.jar
- * SnakeYaml -- org.yaml-snakeyaml-1.27.jar
+ * SnakeYaml -- org.yaml-snakeyaml-1.30.jar
  * RocksDB - org.rocksdb-rocksdbjni-6.10.2.jar
  * Google Error Prone Annotations - 
com.google.errorprone-error_prone_annotations-2.5.1.jar
  * Apache Thrifth - org.apache.thrift-libthrift-0.14.2.jar
diff --git a/pom.xml b/pom.xml
index 8a79ac5903f..d3a37af7a2d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -198,6 +198,7 @@ flexible messaging model and an intuitive client 
API.</description>
     <spring-context.version>5.3.15</spring-context.version>
     <apache-http-client.version>4.5.13</apache-http-client.version>
     <seancfoley.ipaddress.version>5.3.3</seancfoley.ipaddress.version>
+    <snakeyaml.version>1.30</snakeyaml.version>
 
     <!-- test dependencies -->
     <cassandra.version>3.6.0</cassandra.version>
@@ -1140,6 +1141,11 @@ flexible messaging model and an intuitive client 
API.</description>
         <version>${j2objc-annotations.version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>org.yaml</groupId>
+        <artifactId>snakeyaml</artifactId>
+        <version>${snakeyaml.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
diff --git a/pulsar-sql/presto-distribution/LICENSE 
b/pulsar-sql/presto-distribution/LICENSE
index 137993c9934..7970280b6a2 100644
--- a/pulsar-sql/presto-distribution/LICENSE
+++ b/pulsar-sql/presto-distribution/LICENSE
@@ -393,7 +393,7 @@ The Apache Software License, Version 2.0
   * RocksDB JNI
     - rocksdbjni-6.10.2.jar
   * SnakeYAML
-    - snakeyaml-1.27.jar
+    - snakeyaml-1.30.jar
   * Bean Validation API
     - validation-api-2.0.1.Final.jar
   * Objectsize

Reply via email to