[pulsar] branch master updated: Updated dependencies to get rid of pulsar-io/jdbc related CVE-2020-13692 (#13753)

Sun, 16 Jan 2022 09:52:56 -0800 

This is an automated email from the ASF dual-hosted git repository.

lhotari pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new 8214da8  Updated dependencies to get rid of pulsar-io/jdbc related 
CVE-2020-13692 (#13753)
8214da8 is described below

commit 8214da86b2bd2213a7d97e1d174e8d4e53c1b669
Author: Andrey Yegorov <[email protected]>
AuthorDate: Sun Jan 16 09:48:59 2022 -0800

    Updated dependencies to get rid of pulsar-io/jdbc related CVE-2020-13692 
(#13753)
    
    * Updated dependencies to get rid of pulsar-io/jdbc related CVE-2020-13692
    
    Also upgraded clickhouse lib and suppressed wrongly detected clickhouse
    CVEs (client lib matched to server CVEs)
    
    * CR feedback
---
 pom.xml                                     |  4 +-
 src/owasp-dependency-check-suppressions.xml | 74 ++++++++++++++++++++++++++++-
 2 files changed, 75 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index 28ba1bc..0a7716d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -147,8 +147,8 @@ flexible messaging model and an intuitive client 
API.</description>
     <jclouds.version>2.3.0</jclouds.version>
     <sqlite-jdbc.version>3.8.11.2</sqlite-jdbc.version>
     <mysql-jdbc.version>8.0.11</mysql-jdbc.version>
-    <postgresql-jdbc.version>42.2.12</postgresql-jdbc.version>
-    <clickhouse-jdbc.version>0.2.4</clickhouse-jdbc.version>
+    <postgresql-jdbc.version>42.2.24</postgresql-jdbc.version>
+    <clickhouse-jdbc.version>0.3.2</clickhouse-jdbc.version>
     <mariadb-jdbc.version>2.6.0</mariadb-jdbc.version>
     <hdfs-offload-version3>3.3.0</hdfs-offload-version3>
     <elasticsearch.version>7.9.1</elasticsearch.version>
diff --git a/src/owasp-dependency-check-suppressions.xml 
b/src/owasp-dependency-check-suppressions.xml
index 139365d..838e142 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -41,4 +41,76 @@
     <gav regex="true">org\.apache\.zookeeper:.*:3\.6\.2</gav>
     <vulnerabilityName regex="true">.*</vulnerabilityName>
   </suppress>
-</suppressions>
\ No newline at end of file
+
+  <!-- clickhouse: security scan matches client lib to the server CVEs -->
+  <suppress>
+    <notes><![CDATA[
+    file name: avro-1.10.2.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
+    <cve>CVE-2021-43045</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl 
regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2018-14668</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl 
regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2018-14669</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl 
regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2018-14670</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl 
regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2018-14671</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl 
regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2018-14672</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl 
regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2019-15024</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl 
regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2019-16535</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl 
regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2019-18657</cve>
+  </suppress> 
+  <suppress>
+    <notes><![CDATA[
+    file name: clickhouse-jdbc-0.3.2.jar
+    ]]></notes>
+    <packageUrl 
regex="true">^pkg:maven/ru\.yandex\.clickhouse/clickhouse\-jdbc@.*$</packageUrl>
+    <cve>CVE-2021-25263</cve>
+  </suppress>
+</suppressions>

Reply via email to