This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new cbe9c2b Upgraded debezium to 1.7.2 (+ fixed CVE-2021-20328, +
suppressed OWASP misdetections) (#13928)
cbe9c2b is described below
commit cbe9c2b31fcf3aa0fe0c58960f9843cab8b5d42f
Author: Andrey Yegorov <[email protected]>
AuthorDate: Fri Jan 28 07:38:39 2022 -0800
Upgraded debezium to 1.7.2 (+ fixed CVE-2021-20328, + suppressed OWASP
misdetections) (#13928)
Upgraded debezium mostly to pick up perf fix
https://issues.redhat.com/browse/DBZ-4309
CVE-2021-20328 from mongo lib fixed by forcing newer version.
---
pom.xml | 2 +-
pulsar-io/debezium/mongodb/pom.xml | 7 +++
src/owasp-dependency-check-suppressions.xml | 94 ++++++++++++++++++++++++++++-
3 files changed, 101 insertions(+), 2 deletions(-)
diff --git a/pom.xml b/pom.xml
index 0b61422..86bc285 100644
--- a/pom.xml
+++ b/pom.xml
@@ -157,7 +157,7 @@ flexible messaging model and an intuitive client
API.</description>
<presto.version>332</presto.version>
<scala.binary.version>2.13</scala.binary.version>
<scala-library.version>2.13.6</scala-library.version>
- <debezium.version>1.7.1.Final</debezium.version>
+ <debezium.version>1.7.2.Final</debezium.version>
<jsonwebtoken.version>0.11.1</jsonwebtoken.version>
<opencensus.version>0.18.0</opencensus.version>
<hbase.version>2.4.9</hbase.version>
diff --git a/pulsar-io/debezium/mongodb/pom.xml
b/pulsar-io/debezium/mongodb/pom.xml
index 75ef9ca..eda0a1a 100644
--- a/pulsar-io/debezium/mongodb/pom.xml
+++ b/pulsar-io/debezium/mongodb/pom.xml
@@ -39,6 +39,13 @@
</dependency>
<dependency>
+ <!-- CVE-2021-20328, check if can be safely removed with the next
debezium upgrade -->
+ <groupId>org.mongodb</groupId>
+ <artifactId>mongodb-driver-sync</artifactId>
+ <version>4.2.2</version>
+ </dependency>
+
+ <dependency>
<groupId>io.debezium</groupId>
<artifactId>debezium-connector-mongodb</artifactId>
<version>${debezium.version}</version>
diff --git a/src/owasp-dependency-check-suppressions.xml
b/src/owasp-dependency-check-suppressions.xml
index 5a596e3..89cc001 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -290,7 +290,7 @@
<sha1>3f8f54bbcb73608ac8b66f186a824b75065eb413</sha1>
<cve>CVE-2017-8761</cve>
</suppress>
-
+
<suppress>
<notes><![CDATA[
file name: openstack-keystone-2.4.0.jar
@@ -353,4 +353,96 @@
<cpe>cpe:/a:apache:solr</cpe>
</suppress>
+ <!-- debezium-related misdetections -->
+ <suppress>
+ <notes><![CDATA[
+ file name: debezium-connector-mysql-1.7.2.Final.jar
+ ]]></notes>
+ <sha1>a501bd758344d60fd400f5ce58694d52b2dbc6d8</sha1>
+ <cve>CVE-2010-1626</cve>
+ <cve>CVE-2009-4028</cve>
+ <cve>CVE-2007-1420</cve>
+ <cve>CVE-2007-5925</cve>
+ <cve>CVE-2007-2691</cve>
+ <cve>CVE-2009-0819</cve>
+ <cve>CVE-2010-1621</cve>
+ <cve>CVE-2010-3677</cve>
+ <cve>CVE-2010-3682</cve>
+ <cve>CVE-2012-5627</cve>
+ <cve>CVE-2015-2575</cve>
+ <cve>CVE-2017-15945</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: mysql-binlog-connector-java-0.25.3.jar
+ ]]></notes>
+ <sha1>45b3fdd0b953d744a8570f74eb5e1016f8ed5ca9</sha1>
+ <cve>CVE-2007-1420</cve>
+ <cve>CVE-2007-2691</cve>
+ <cve>CVE-2007-5925</cve>
+ <cve>CVE-2009-0819</cve>
+ <cve>CVE-2009-4028</cve>
+ <cve>CVE-2010-1621</cve>
+ <cve>CVE-2010-1626</cve>
+ <cve>CVE-2010-3677</cve>
+ <cve>CVE-2010-3682</cve>
+ <cve>CVE-2012-5627</cve>
+ <cve>CVE-2015-2575</cve>
+ <cve>CVE-2017-15945</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: debezium-connector-postgres-1.7.2.Final.jar
+ ]]></notes>
+ <sha1>69c1edfa7d89531af511fcd07e8516fa450f746a</sha1>
+ <cve>CVE-2007-2138</cve>
+ <cve>CVE-2010-0733</cve>
+ <cve>CVE-2014-0060</cve>
+ <cve>CVE-2014-0061</cve>
+ <cve>CVE-2014-0062</cve>
+ <cve>CVE-2014-0063</cve>
+ <cve>CVE-2014-0064</cve>
+ <cve>CVE-2014-0065</cve>
+ <cve>CVE-2014-0066</cve>
+ <cve>CVE-2014-0067</cve>
+ <cve>CVE-2014-8161</cve>
+ <cve>CVE-2015-0241</cve>
+ <cve>CVE-2015-0242</cve>
+ <cve>CVE-2015-0243</cve>
+ <cve>CVE-2015-0244</cve>
+ <cve>CVE-2015-3165</cve>
+ <cve>CVE-2015-3166</cve>
+ <cve>CVE-2015-3167</cve>
+ <cve>CVE-2015-5288</cve>
+ <cve>CVE-2015-5289</cve>
+ <cve>CVE-2016-0766</cve>
+ <cve>CVE-2016-0768</cve>
+ <cve>CVE-2016-0773</cve>
+ <cve>CVE-2016-5423</cve>
+ <cve>CVE-2016-5424</cve>
+ <cve>CVE-2016-7048</cve>
+ <cve>CVE-2017-14798</cve>
+ <cve>CVE-2017-7484</cve>
+ <cve>CVE-2018-1115</cve>
+ <cve>CVE-2019-10127</cve>
+ <cve>CVE-2019-10128</cve>
+ <cve>CVE-2019-10210</cve>
+ <cve>CVE-2019-10211</cve>
+ <cve>CVE-2020-25694</cve>
+ <cve>CVE-2020-25695</cve>
+ <cve>CVE-2021-3393</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: protostream-types-4.4.1.Final.jar
+ ]]></notes>
+ <sha1>29b45ebea1e4ce62ab3ec5eb76fa9771f98941b0</sha1>
+ <cve>CVE-2016-0750</cve>
+ <cve>CVE-2017-15089</cve>
+ <cve>CVE-2017-2638</cve>
+ <cve>CVE-2019-10158</cve>
+ <cve>CVE-2019-10174</cve>
+ <cve>CVE-2020-25711</cve>
+ </suppress>
+
</suppressions>
