Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Exclude avro from hadoop-client #21719

Merged
merged 1 commit into from
Dec 13, 2023
Merged

[fix][sec] Exclude avro from hadoop-client #21719

merged 1 commit into from
Dec 13, 2023

Conversation

liangyepianzhou
Copy link
Contributor

Motivation

Fix CVE-2023-39410.
This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2

org.apache.pulsar:pulsar-io-hdfs3:jar:3.2.0-SNAPSHOT
 \- org.apache.hadoop:hadoop-client:jar:3.3.5:compile
    \- org.apache.hadoop:hadoop-common:jar:3.3.5:compile
       \- org.apache.avro:avro:jar:1.7.7:compile

Modifications

Exclude Avro from Hadoop-client.

Verifying this change

  • Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (10MB)
  • Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository:

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Dec 13, 2023
@liangyepianzhou liangyepianzhou self-assigned this Dec 13, 2023
@lhotari lhotari merged commit 95b9072 into apache:master Dec 13, 2023
55 of 57 checks passed
@liangyepianzhou liangyepianzhou deleted the cve/avro-1.7.7 branch December 13, 2023 12:52
@Technoboy- Technoboy- added this to the 3.2.0 milestone Dec 14, 2023
Technoboy- pushed a commit that referenced this pull request Dec 14, 2023
@liangyepianzhou @Technoboy-
[fix][sec] Exclude avro from hadoop-client (#21719)
08879e3
liangyepianzhou added a commit that referenced this pull request Jan 11, 2024
@liangyepianzhou
[fix][sec] Exclude avro from hadoop-client (#21719)
74678b6 
(cherry picked from commit 95b9072)
liangyepianzhou added a commit that referenced this pull request Jan 15, 2024
@liangyepianzhou
[fix][sec] Exclude avro from hadoop-client (#21719)
2c332de 
(cherry picked from commit 95b9072)
Technoboy- pushed a commit that referenced this pull request Jan 16, 2024
@liangyepianzhou @Technoboy-
[fix][sec] Exclude avro from hadoop-client (#21719)
2c383a1
liangyepianzhou added a commit to liangyepianzhou/pulsar that referenced this pull request Feb 18, 2024
@liangyepianzhou
Revert "[fix][sec] Exclude avro from hadoop-client (apache#21719)"
231e166 
This reverts commit 2c332de.
nodece pushed a commit to nodece/pulsar that referenced this pull request Feb 23, 2024
@liangyepianzhou @nodece
[fix][sec] Exclude avro from hadoop-client (apache#21719)
221553e 
(cherry picked from commit 95b9072)
mukesh-ctds pushed a commit to datastax/pulsar that referenced this pull request Mar 1, 2024
@liangyepianzhou @mukesh-ctds
[fix][sec] Exclude avro from hadoop-client (apache#21719)
da0f9a2 
(cherry picked from commit 2c383a1)
mukesh-ctds pushed a commit to datastax/pulsar that referenced this pull request Mar 6, 2024
@liangyepianzhou @mukesh-ctds
[fix][sec] Exclude avro from hadoop-client (apache#21719)
6c11a1c 
(cherry picked from commit 2c383a1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lhotari lhotari lhotari approved these changes

Assignees

@liangyepianzhou liangyepianzhou

Labels
area/security cherry-picked/branch-2.10 cherry-picked/branch-2.11 cherry-picked/branch-3.0 cherry-picked/branch-3.1 dependencies Pull requests that update a dependency file doc-not-needed Your PR changes do not impact docs ready-to-test release/2.10.6 release/2.11.4 release/3.0.3 release/3.1.3
Projects
None yet
Milestone
3.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@liangyepianzhou @lhotari @Technoboy-