[GitHub] [pulsar] wolfstudy opened a new pull request #7801: Fix security vulnerabilities of Pulsar

Wed, 12 Aug 2020 05:59:47 -0700 


wolfstudy opened a new pull request #7801:
URL: https://github.com/apache/pulsar/pull/7801


   Signed-off-by: xiaolong.ran <[email protected]>
   
   
   ### Motivation
   
   Based on the scan results of `Black Duck`, we found that there are security 
vulnerabilities in the components currently used by pulsar, some are directly 
referenced by pulsar, and some are indirectly referenced by the pulsar.
   
   ### Modifications
   
   - Remove 
`<test-hdfs-offload-jetty>9.3.24.v20180605</test-hdfs-offload-jetty>` because 
no one uses.
   
   - **Upgrade netty version from `4.1.48.Final` to `4.1.51.Final`** (directly 
referenced)
   
   
   Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
   -- | -- | -- | -- | --
   Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
   Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
   Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
   Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
   Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
   Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
   Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
   Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
   Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
   Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
   Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
   Netty Project | 4.1.48.Final | maven | BDSA-2018-4022 | MEDIUM
   
   - **Upgrade jetty version from `9.3.24.v20180605` to `9.4.31.v20200723`** 
(directly referenced)
   
   
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
   -- | -- | -- | -- | --
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2017-9735 | MEDIUM
   Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server | 
9.3.24.v20180605 | maven | CVE-2018-12545 | MEDIUM
   
   
   - **Upgrade hbase version from `1.4.9` to `2.3.0`**(indirectly referenced)
   
   
   Apache Tomcat | 5.5.23 | maven | CVE-2007-2449 | MEDIUM
   -- | -- | -- | -- | --
   Apache Tomcat | 5.5.23 | maven | CVE-2007-3382 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2007-3385 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2007-3386 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2007-5342 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2007-5333 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2007-6286 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2008-2370 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2008-2938 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-0781 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-0033 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-0580 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-0783 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2008-5515 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-2693 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-2901 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-2902 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2010-2227 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-2696 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2010-4476 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-0013 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-2526 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-3190 | HIGH
   Apache Tomcat | 5.5.23 | maven | CVE-2011-4858 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-1184 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-5062 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-5063 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-5064 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2012-0022 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2012-5885 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2012-5886 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2012-5887 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2012-5568 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2012-3546 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2013-1976 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2013-6357 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2013-2185 | HIGH
   Apache Tomcat | 5.5.23 | maven | CVE-2013-4286 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2013-4322 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2013-4590 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2014-0075 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2014-0096 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2014-0099 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2014-0119 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2013-4444 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | BDSA-2009-0001 (CVE-2009-3548) | HIGH
   Apache Tomcat | 5.5.23 | maven | BDSA-2016-0056 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2020-8022 | HIGH
   Apache Tomcat | 5.5.23 | maven | CVE-2007-2449 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2007-3382 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2007-3385 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2007-3386 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2007-5342 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2007-5333 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2007-6286 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2008-2370 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2008-2938 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-0781 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-0033 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-0580 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-0783 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2008-5515 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-2693 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-2901 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-2902 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2010-2227 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2009-2696 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2010-4476 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-0013 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-2526 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-3190 | HIGH
   Apache Tomcat | 5.5.23 | maven | CVE-2011-4858 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-1184 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-5062 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-5063 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2011-5064 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2012-0022 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2012-5885 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2012-5886 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2012-5887 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2012-5568 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2012-3546 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2013-1976 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2013-6357 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2013-2185 | HIGH
   Apache Tomcat | 5.5.23 | maven | CVE-2013-4286 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2013-4322 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2013-4590 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2014-0075 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2014-0096 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2014-0099 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2014-0119 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2013-4444 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | BDSA-2009-0001 (CVE-2009-3548) | HIGH
   Apache Tomcat | 5.5.23 | maven | BDSA-2016-0056 | MEDIUM
   Apache Tomcat | 5.5.23 | maven | CVE-2020-8022 | HIGH
   
   and
   
   Apache HttpClient | 3.1 | maven | CVE-2015-5262 | MEDIUM
   -- | -- | -- | -- | --
   Apache HttpClient | 3.1 | maven | BDSA-2012-0025 (CVE-2012-5783) | MEDIUM
   Apache HttpClient | 3.1 | maven | BDSA-2014-0112 (CVE-2012-6153) | MEDIUM
   
   
   - **Upgrade fastjson version from `1.2.28` to `1.2.73`**(directly referenced)
   
   
   fastjson | 1.2.28 | maven | BDSA-2019-3073 | MEDIUM
   -- | -- | -- | -- | --
   fastjson | 1.2.28 | maven | BDSA-2019-3073 | MEDIUM
   
   
   - **Upgrade canal.client version from `1.1.1` to `1.1.4`**
   
   Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
   -- | -- | -- | -- | --
   Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
   Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
   Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
   Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
   Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
   Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
   Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
   Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
   Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
   Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
   Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
   Spring Framework | 3.2.18 | maven | BDSA-2018-0994 (CVE-2018-1270) | MEDIUM
   Spring Framework | 3.2.18 | maven | BDSA-2018-1042 | MEDIUM
   
   
   - **Upgrade solr version from `7.5.0` to `8.6.0`**(directly referenced)
   
   apache lucene-solr | 7.5.0 | maven | BDSA-2018-4775 (CVE-2017-3164) | MEDIUM
   -- | -- | -- | -- | --
   apache lucene-solr | 7.5.0 | maven | BDSA-2019-2386 (CVE-2019-0193) | MEDIUM
   apache lucene-solr | 7.5.0 | maven | BDSA-2019-3379 (CVE-2019-17558) | MEDIUM
   
   - Upgrade `dep.airlift` version from `0.170` to `0.199` (indirectly 
referenced)
   
   Apache Commons BeanUtils | 1.8.3 | maven | BDSA-2014-0001 (CVE-2014-0114) | 
MEDIUM
   -- | -- | -- | -- | --
   Apache Commons BeanUtils | 1.8.3 | maven | BDSA-2014-0129 (CVE-2019-10086) | 
MEDIUM
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to