From ef4917c009b85fb171f49c6ab10136fb2d895900 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicol=C3=B2=20Boschi?= <boschi1997@gmail.com>
Date: Mon, 7 Feb 2022 10:04:22 +0100
Subject: [PATCH] [security] Upgrade Postgre driver to 42.2.25 to get rid of
 CVE-2022-21724 (#14119)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21724

Upgrade both `jdbc` and `debezium` Postgre java driver dependency to 42.2.25 (from 42.2.24 and 42.2.22).
Note: the version is not shared on purpose because we should leave the driver dependencies separated since the two connectors are used in different ways. (For example, when we'll upgrade Debezium to 1.8.x we'll need to remove the override and keep the 42.3.x version)

For cherry-picks, branch-2.9 and branch-2.8 are compatible since:
* branch-2.9 has the same debezium version
* branch-2.8 has 1.0.0 but it uses [pg driver 42.2.x](https://search.maven.org/artifact/io.debezium/debezium-parent/1.0.0.Final/pom) as well

- [x] `no-need-doc`

(cherry picked from commit 64818458727df20384463bbedf9cb7c92c0f9216)
---
 pom.xml                             | 3 ++-
 pulsar-io/debezium/postgres/pom.xml | 7 +++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index a79429f4733a9..76f187129cc98 100644
--- a/pom.xml
+++ b/pom.xml
@@ -148,7 +148,7 @@ flexible messaging model and an intuitive client API.</description>
     <jclouds.version>2.3.0</jclouds.version>
     <sqlite-jdbc.version>3.8.11.2</sqlite-jdbc.version>
     <mysql-jdbc.version>8.0.11</mysql-jdbc.version>
-    <postgresql-jdbc.version>42.2.24</postgresql-jdbc.version>
+    <postgresql-jdbc.version>42.2.25</postgresql-jdbc.version>
     <clickhouse-jdbc.version>0.3.2</clickhouse-jdbc.version>
     <mariadb-jdbc.version>2.6.0</mariadb-jdbc.version>
     <hdfs-offload-version3>3.3.1</hdfs-offload-version3>
@@ -158,6 +158,7 @@ flexible messaging model and an intuitive client API.</description>
     <scala.binary.version>2.13</scala.binary.version>
     <scala-library.version>2.13.6</scala-library.version>
     <debezium.version>1.7.1.Final</debezium.version>
+    <debezium.postgresql.version>42.2.25</debezium.postgresql.version>
     <jsonwebtoken.version>0.11.1</jsonwebtoken.version>
     <opencensus.version>0.18.0</opencensus.version>
     <hbase.version>2.4.9</hbase.version>
diff --git a/pulsar-io/debezium/postgres/pom.xml b/pulsar-io/debezium/postgres/pom.xml
index a3d0231e0a762..8c64dd448eef9 100644
--- a/pulsar-io/debezium/postgres/pom.xml
+++ b/pulsar-io/debezium/postgres/pom.xml
@@ -44,6 +44,13 @@
       <version>${debezium.version}</version>
     </dependency>
 
+    <dependency>
+      <groupId>org.postgresql</groupId>
+      <artifactId>postgresql</artifactId>
+      <version>${debezium.postgresql.version}</version>
+      <scope>runtime</scope>
+    </dependency>
+
   </dependencies>
 
   <build>