From d0aa3b4a19b26c231e699923de8fe0769d3a53cb Mon Sep 17 00:00:00 2001 From: Lari Hotari Date: Tue, 11 Jan 2022 07:56:15 +0200 Subject: [PATCH] [Security] Upgrade protobuf to 3.16.1 to address CVE-2021-22569 (#13695) ### Motivation - protobuf < 3.16.1 contains DoS vulnerability CVE-2021-22569, https://nvd.nist.gov/vuln/detail/CVE-2021-22569. ### Modifications - upgrade protobuf from 3.11.4 to 3.16.1 (cherry picked from commit 1a3688c936bb2320db34ccfbef08500f2c522591) --- distribution/server/src/assemble/LICENSE.bin.txt | 4 ++-- pom.xml | 2 +- pulsar-sql/presto-distribution/LICENSE | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index 806e595bcf401..5e96587ba8494 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -521,8 +521,8 @@ MIT License Protocol Buffers License * Protocol Buffers - - com.google.protobuf-protobuf-java-3.11.4.jar -- licenses/LICENSE-protobuf.txt - - com.google.protobuf-protobuf-java-util-3.11.4.jar -- licenses/LICENSE-protobuf.txt + - com.google.protobuf-protobuf-java-3.16.1.jar -- licenses/LICENSE-protobuf.txt + - com.google.protobuf-protobuf-java-util-3.16.1.jar -- licenses/LICENSE-protobuf.txt CDDL-1.1 -- licenses/LICENSE-CDDL-1.1.txt * Java Annotations API diff --git a/pom.xml b/pom.xml index 2a5be058cd0d3..c0dd629a1cca5 100644 --- a/pom.xml +++ b/pom.xml @@ -130,7 +130,7 @@ flexible messaging model and an intuitive client API. 8.37 1.4.13 0.5.0 - 3.11.4 + 3.16.1 ${protobuf3.version} 1.33.0 0.19.0 diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE index 88c533ff5bcc9..edd4bf39aadc8 100644 --- a/pulsar-sql/presto-distribution/LICENSE +++ b/pulsar-sql/presto-distribution/LICENSE @@ -463,7 +463,7 @@ The Apache Software License, Version 2.0 Protocol Buffers License * Protocol Buffers - - protobuf-java-3.11.4.jar + - protobuf-java-3.16.1.jar BSD 3-clause "New" or "Revised" License * RE2J TD -- re2j-td-1.4.jar