This is an automated email from the ASF dual-hosted git repository. lhotari pushed a commit to branch branch-4.0 in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit e665b9454a40dbd824420298ad2a7efe545eea66 Author: guptas6est <[email protected]> AuthorDate: Thu Nov 6 09:04:12 2025 +0000 [fix][sec] Added Exclusions for tomcat-embed-core and derby and override mina-core to remediate CVEs (#24949) (cherry picked from commit 39aeec5ad61f2d4e8bbc6500bddbaa4e35fe88a7) --- pom.xml | 1 + pulsar-io/flume/pom.xml | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/pom.xml b/pom.xml index 7c42437799b..bd26d4222cd 100644 --- a/pom.xml +++ b/pom.xml @@ -369,6 +369,7 @@ flexible messaging model and an intuitive client API.</description> <nimbus-jose-jwt.version>9.37.4</nimbus-jose-jwt.version> <commons-beanutils.version>1.11.0</commons-beanutils.version> <commons-configuration2.version>2.12.0</commons-configuration2.version> + <mina-core.version>2.1.10</mina-core.version> </properties> <dependencyManagement> diff --git a/pulsar-io/flume/pom.xml b/pulsar-io/flume/pom.xml index d3e68f6bf6c..f3437b85b97 100644 --- a/pulsar-io/flume/pom.xml +++ b/pulsar-io/flume/pom.xml @@ -31,6 +31,16 @@ <artifactId>pulsar-io-flume</artifactId> <name>Pulsar IO :: Flume</name> + <dependencyManagement> + <dependencies> + <dependency> + <groupId>org.apache.mina</groupId> + <artifactId>mina-core</artifactId> + <version>${mina-core.version}</version> + </dependency> + </dependencies> + </dependencyManagement> + <dependencies> <dependency> <groupId>${project.groupId}</groupId> @@ -61,6 +71,14 @@ <artifactId>avro</artifactId> <groupId>org.apache.avro</groupId> </exclusion> + <exclusion> + <groupId>org.apache.tomcat.embed</groupId> + <artifactId>tomcat-embed-core</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.derby</groupId> + <artifactId>derby</artifactId> + </exclusion> </exclusions> </dependency> <dependency>
