[security] Upgrade Postgre driver to 42.2.25 to get rid of CVE-2022-21724 #14119
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shoothzj
reviewed
Feb 4, 2022
lhotari
reviewed
Feb 4, 2022
|
/pulsarbot rerun-failure-checks |
lhotari
approved these changes
Feb 7, 2022
shoothzj
approved these changes
Feb 7, 2022
|
@shoothzj would you able to cherry-pick this fix to 2.8 and 2.9 ? |
nicoloboschi
added a commit
to datastax/pulsar
that referenced
this pull request
Feb 7, 2022
…1724 (apache#14119) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21724 Upgrade both `jdbc` and `debezium` Postgre java driver dependency to 42.2.25 (from 42.2.24 and 42.2.22). Note: the version is not shared on purpose because we should leave the driver dependencies separated since the two connectors are used in different ways. (For example, when we'll upgrade Debezium to 1.8.x we'll need to remove the override and keep the 42.3.x version) For cherry-picks, branch-2.9 and branch-2.8 are compatible since: * branch-2.9 has the same debezium version * branch-2.8 has 1.0.0 but it uses [pg driver 42.2.x](https://search.maven.org/artifact/io.debezium/debezium-parent/1.0.0.Final/pom) as well - [x] `no-need-doc` (cherry picked from commit 6481845)
zymap
pushed a commit
that referenced
this pull request
Feb 11, 2022
…1724 (#14119) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21724 Upgrade both `jdbc` and `debezium` Postgre java driver dependency to 42.2.25 (from 42.2.24 and 42.2.22). Note: the version is not shared on purpose because we should leave the driver dependencies separated since the two connectors are used in different ways. (For example, when we'll upgrade Debezium to 1.8.x we'll need to remove the override and keep the 42.3.x version) For cherry-picks, branch-2.9 and branch-2.8 are compatible since: * branch-2.9 has the same debezium version * branch-2.8 has 1.0.0 but it uses [pg driver 42.2.x](https://search.maven.org/artifact/io.debezium/debezium-parent/1.0.0.Final/pom) as well - [x] `no-need-doc` (cherry picked from commit 6481845)
gaoran10
added
area/dependency
gaoran10
pushed a commit
that referenced
this pull request
Mar 1, 2022
…1724 (#14119) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21724 Upgrade both `jdbc` and `debezium` Postgre java driver dependency to 42.2.25 (from 42.2.24 and 42.2.22). Note: the version is not shared on purpose because we should leave the driver dependencies separated since the two connectors are used in different ways. (For example, when we'll upgrade Debezium to 1.8.x we'll need to remove the override and keep the 42.3.x version) For cherry-picks, branch-2.9 and branch-2.8 are compatible since: * branch-2.9 has the same debezium version * branch-2.8 has 1.0.0 but it uses [pg driver 42.2.x](https://search.maven.org/artifact/io.debezium/debezium-parent/1.0.0.Final/pom) as well - [x] `no-need-doc` (cherry picked from commit 6481845)
Nicklee007
pushed a commit
to Nicklee007/pulsar
that referenced
this pull request
Apr 20, 2022
…1724 (apache#14119) ### Motivation http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21724 ### Modifications Upgrade both `jdbc` and `debezium` Postgre java driver dependency to 42.2.25 (from 42.2.24 and 42.2.22). Note: the version is not shared on purpose because we should leave the driver dependencies separated since the two connectors are used in different ways. (For example, when we'll upgrade Debezium to 1.8.x we'll need to remove the override and keep the 42.3.x version) For cherry-picks, branch-2.9 and branch-2.8 are compatible since: * branch-2.9 has the same debezium version * branch-2.8 has 1.0.0 but it uses [pg driver 42.2.x](https://search.maven.org/artifact/io.debezium/debezium-parent/1.0.0.Final/pom) as well ### Documentation - [x] `no-need-doc`
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21724
Modifications
Upgrade both
jdbcanddebeziumPostgre java driver dependency to 42.2.25 (from 42.2.24 and 42.2.22).Note: the version is not shared on purpose because we should leave the driver dependencies separated since the two connectors are used in different ways. (For example, when we'll upgrade Debezium to 1.8.x we'll need to remove the override and keep the 42.3.x version)
For cherry-picks, branch-2.9 and branch-2.8 are compatible since:
Documentation
no-need-doc