This is an automated email from the ASF dual-hosted git repository.
penghui pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-2.9 by this push:
new 94de85fc6d8 [fix][sec] Updating dependencies to get rid of CVEs
brought in with kafka and log4j-1.2 libs (#13726) (#18304)
94de85fc6d8 is described below
commit 94de85fc6d84a3210ccb5456017500e044fce090
Author: Alexander Preuß <[email protected]>
AuthorDate: Thu Nov 3 02:05:15 2022 +0100
[fix][sec] Updating dependencies to get rid of CVEs brought in with kafka
and log4j-1.2 libs (#13726) (#18304)
CVE-2020-27218,
CVE-2021-38153,
CVE-2021-44228,
CVE-2021-44832,
CVE-2021-45046,
CVE-2021-45105,
CVE-2020-9488,
CVE-2019-17571,
CVE-2021-4104
(cherry picked from commit 3acdbfe4eac79040be140b423342c28a07dc0327)
---
pom.xml | 2 +-
pulsar-io/debezium/core/pom.xml | 6 ++++++
pulsar-io/hbase/pom.xml | 10 ++++++++++
pulsar-io/hdfs2/pom.xml | 10 ++++++++++
pulsar-io/hdfs3/pom.xml | 8 ++++++++
pulsar-io/kafka-connect-adaptor/pom.xml | 6 ++++++
pulsar-io/kafka/pom.xml | 10 ++++++++++
tiered-storage/file-system/pom.xml | 10 ++++++++++
8 files changed, 61 insertions(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 3b1aac8cc03..bbccabc820c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -141,7 +141,7 @@ flexible messaging model and an intuitive client
API.</description>
<hbc-core.version>2.2.0</hbc-core.version>
<cassandra-driver-core.version>3.6.0</cassandra-driver-core.version>
<aerospike-client.version>4.4.20</aerospike-client.version>
- <kafka-client.version>2.7.0</kafka-client.version>
+ <kafka-client.version>2.7.2</kafka-client.version>
<rabbitmq-client.version>5.1.1</rabbitmq-client.version>
<aws-sdk.version>1.11.774</aws-sdk.version>
<avro.version>1.10.2</avro.version>
diff --git a/pulsar-io/debezium/core/pom.xml b/pulsar-io/debezium/core/pom.xml
index e084d43a8a1..139416214a4 100644
--- a/pulsar-io/debezium/core/pom.xml
+++ b/pulsar-io/debezium/core/pom.xml
@@ -66,6 +66,12 @@
<groupId>org.apache.kafka</groupId>
<artifactId>connect-runtime</artifactId>
<version>${kafka-client.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.apache.kafka</groupId>
+ <artifactId>kafka-log4j-appender</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
diff --git a/pulsar-io/hbase/pom.xml b/pulsar-io/hbase/pom.xml
index 60d02110748..4d782fb15fe 100644
--- a/pulsar-io/hbase/pom.xml
+++ b/pulsar-io/hbase/pom.xml
@@ -68,6 +68,16 @@
<groupId>org.apache.hbase</groupId>
<artifactId>hbase-client</artifactId>
<version>${hbase.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-log4j12</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
diff --git a/pulsar-io/hdfs2/pom.xml b/pulsar-io/hdfs2/pom.xml
index 2505b0b6a56..5f038bf810e 100644
--- a/pulsar-io/hdfs2/pom.xml
+++ b/pulsar-io/hdfs2/pom.xml
@@ -49,6 +49,16 @@
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-client</artifactId>
<version>2.8.5</version>
+ <exclusions>
+ <exclusion>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-log4j12</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
diff --git a/pulsar-io/hdfs3/pom.xml b/pulsar-io/hdfs3/pom.xml
index ba53000940b..be94f18de04 100644
--- a/pulsar-io/hdfs3/pom.xml
+++ b/pulsar-io/hdfs3/pom.xml
@@ -54,6 +54,14 @@
<groupId>jakarta.activation</groupId>
<artifactId>jakarta.activation-api</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-log4j12</artifactId>
+ </exclusion>
</exclusions>
</dependency>
diff --git a/pulsar-io/kafka-connect-adaptor/pom.xml
b/pulsar-io/kafka-connect-adaptor/pom.xml
index 334ba9255c4..6cf8d7a155b 100644
--- a/pulsar-io/kafka-connect-adaptor/pom.xml
+++ b/pulsar-io/kafka-connect-adaptor/pom.xml
@@ -54,6 +54,12 @@
<groupId>org.apache.kafka</groupId>
<artifactId>connect-runtime</artifactId>
<version>${kafka-client.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.apache.kafka</groupId>
+ <artifactId>kafka-log4j-appender</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
diff --git a/pulsar-io/kafka/pom.xml b/pulsar-io/kafka/pom.xml
index 0fb41f92e7c..6d6c61fb558 100644
--- a/pulsar-io/kafka/pom.xml
+++ b/pulsar-io/kafka/pom.xml
@@ -70,6 +70,16 @@
<groupId>io.confluent</groupId>
<artifactId>kafka-schema-registry</artifactId>
<version>${kafka.confluent.schemaregistryclient.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-log4j12</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
diff --git a/tiered-storage/file-system/pom.xml
b/tiered-storage/file-system/pom.xml
index e5f1c880cca..25c6d1d0f4f 100644
--- a/tiered-storage/file-system/pom.xml
+++ b/tiered-storage/file-system/pom.xml
@@ -46,6 +46,16 @@
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-common</artifactId>
<version>${hdfs-offload-version3}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-log4j12</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>com.google.protobuf</groupId>
