Skip to content

Commit 163b9cc

Browse files
slfan1989slfan1989
authored
[FLINK-34955] Upgrade commons-compress to 1.26.0. (apache#24580)
Addresses 2 CVE as described at https://mvnrepository.com/artifact/org.apache.commons/commons-compress.
1 parent 8a18b11 commit 163b9cc

File tree

10 files changed

+35
-13
lines changed
  • pom.xml

10 files changed

+35
-13
lines changed

flink-dist/src/main/resources/META-INF/NOTICE

+2-2
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,8 @@ This project bundles the following dependencies under the Apache Software Licens
1111
- com.ververica:frocksdbjni:6.20.3-ververica-2.0
1212
- commons-cli:commons-cli:1.5.0
1313
- commons-collections:commons-collections:3.2.2
14-
- commons-io:commons-io:2.11.0
15-
- org.apache.commons:commons-compress:1.24.0
14+
- commons-io:commons-io:2.15.1
15+
- org.apache.commons:commons-compress:1.26.0
1616
- org.apache.commons:commons-lang3:3.12.0
1717
- org.apache.commons:commons-math3:3.6.1
1818
- org.apache.commons:commons-text:1.10.0

flink-end-to-end-tests/flink-sql-client-test/pom.xml

+7
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,13 @@ under the License.
6969
<artifactId>kafka</artifactId>
7070
<scope>test</scope>
7171
</dependency>
72+
73+
<dependency>
74+
<groupId>commons-codec</groupId>
75+
<artifactId>commons-codec</artifactId>
76+
<scope>test</scope>
77+
</dependency>
78+
7279
</dependencies>
7380

7481
<dependencyManagement>

flink-filesystems/flink-fs-hadoop-shaded/src/main/resources/META-INF/NOTICE

+2-2
Original file line numberDiff line numberDiff line change
@@ -16,9 +16,9 @@ This project bundles the following dependencies under the Apache Software Licens
1616
- com.google.j2objc:j2objc-annotations:1.1
1717
- commons-beanutils:commons-beanutils:1.9.4
1818
- commons-collections:commons-collections:3.2.2
19-
- commons-io:commons-io:2.11.0
19+
- commons-io:commons-io:2.15.1
2020
- commons-logging:commons-logging:1.1.3
21-
- org.apache.commons:commons-compress:1.24.0
21+
- org.apache.commons:commons-compress:1.26.0
2222
- org.apache.commons:commons-configuration2:2.1.1
2323
- org.apache.commons:commons-lang3:3.12.0
2424
- org.apache.commons:commons-text:1.10.0

flink-filesystems/flink-s3-fs-hadoop/src/main/resources/META-INF/NOTICE

+2-2
Original file line numberDiff line numberDiff line change
@@ -21,10 +21,10 @@ This project bundles the following dependencies under the Apache Software Licens
2121
- commons-beanutils:commons-beanutils:1.9.4
2222
- commons-codec:commons-codec:1.15
2323
- commons-collections:commons-collections:3.2.2
24-
- commons-io:commons-io:2.11.0
24+
- commons-io:commons-io:2.15.1
2525
- commons-logging:commons-logging:1.1.3
2626
- joda-time:joda-time:2.5
27-
- org.apache.commons:commons-compress:1.24.0
27+
- org.apache.commons:commons-compress:1.26.0
2828
- org.apache.commons:commons-configuration2:2.1.1
2929
- org.apache.commons:commons-lang3:3.12.0
3030
- org.apache.commons:commons-text:1.10.0

flink-filesystems/flink-s3-fs-presto/src/main/resources/META-INF/NOTICE

+2-2
Original file line numberDiff line numberDiff line change
@@ -30,13 +30,13 @@ This project bundles the following dependencies under the Apache Software Licens
3030
- commons-beanutils:commons-beanutils:1.9.4
3131
- commons-codec:commons-codec:1.15
3232
- commons-collections:commons-collections:3.2.2
33-
- commons-io:commons-io:2.11.0
33+
- commons-io:commons-io:2.15.1
3434
- commons-logging:commons-logging:1.1.3
3535
- io.airlift:slice:0.38
3636
- io.airlift:units:1.3
3737
- joda-time:joda-time:2.5
3838
- org.alluxio:alluxio-shaded-client:2.7.3
39-
- org.apache.commons:commons-compress:1.24.0
39+
- org.apache.commons:commons-compress:1.26.0
4040
- org.apache.commons:commons-configuration2:2.1.1
4141
- org.apache.commons:commons-lang3:3.12.0
4242
- org.apache.commons:commons-text:1.10.0

flink-formats/flink-sql-avro-confluent-registry/src/main/resources/META-INF/NOTICE

+3-1
Original file line numberDiff line numberDiff line change
@@ -10,10 +10,12 @@ This project bundles the following dependencies under the Apache Software Licens
1010
- com.fasterxml.jackson.core:jackson-core:2.15.3
1111
- com.fasterxml.jackson.core:jackson-databind:2.15.3
1212
- com.google.guava:guava:32.0.1-jre
13+
- commons-io:commons-io:2.15.1
1314
- io.confluent:common-utils:7.5.3
1415
- io.confluent:kafka-schema-registry-client:7.5.3
1516
- org.apache.avro:avro:1.11.3
16-
- org.apache.commons:commons-compress:1.24.0
17+
- org.apache.commons:commons-compress:1.26.0
18+
- org.apache.commons:commons-lang3:3.12.0
1719
- org.apache.kafka:kafka-clients:7.5.3-ccs
1820
- org.xerial.snappy:snappy-java:1.1.10.4
1921
- org.yaml:snakeyaml:1.33

flink-formats/flink-sql-avro/src/main/resources/META-INF/NOTICE

+1-1
Original file line numberDiff line numberDiff line change
@@ -10,4 +10,4 @@ This project bundles the following dependencies under the Apache Software Licens
1010
- com.fasterxml.jackson.core:jackson-core:2.15.3
1111
- com.fasterxml.jackson.core:jackson-databind:2.15.3
1212
- com.fasterxml.jackson.core:jackson-annotations:2.15.3
13-
- org.apache.commons:commons-compress:1.24.0
13+
- org.apache.commons:commons-compress:1.26.0

flink-python/pom.xml

+12
Original file line numberDiff line numberDiff line change
@@ -367,6 +367,18 @@ under the License.
367367
<scope>test</scope>
368368
</dependency>
369369

370+
<dependency>
371+
<groupId>commons-io</groupId>
372+
<artifactId>commons-io</artifactId>
373+
<version>${commons.io.version}</version>
374+
<scope>test</scope>
375+
</dependency>
376+
377+
<dependency>
378+
<groupId>org.apache.commons</groupId>
379+
<artifactId>commons-lang3</artifactId>
380+
</dependency>
381+
370382
</dependencies>
371383

372384
<dependencyManagement>

flink-table/flink-table-planner/src/main/resources/META-INF/NOTICE

+1-1
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ This project bundles the following dependencies under the Apache Software Licens
1212
- org.apache.calcite:calcite-linq4j:1.32.0
1313
- org.apache.calcite.avatica:avatica-core:1.22.0
1414
- commons-codec:commons-codec:1.15
15-
- commons-io:commons-io:2.11.0
15+
- commons-io:commons-io:2.15.1
1616

1717
This project bundles the following dependencies under the MIT License. (http://www.opensource.org/licenses/mit-license.php)
1818

pom.xml

+3-2
Original file line numberDiff line numberDiff line change
@@ -165,6 +165,7 @@ under the License.
165165
<okhttp.version>3.14.9</okhttp.version>
166166
<testcontainers.version>1.19.1</testcontainers.version>
167167
<lz4.version>1.8.0</lz4.version>
168+
<commons.io.version>2.15.1</commons.io.version>
168169
<japicmp.skip>false</japicmp.skip>
169170
<flink.convergence.phase>validate</flink.convergence.phase>
170171
<!--
@@ -691,7 +692,7 @@ under the License.
691692
<dependency>
692693
<groupId>commons-io</groupId>
693694
<artifactId>commons-io</artifactId>
694-
<version>2.11.0</version>
695+
<version>${commons.io.version}</version>
695696
</dependency>
696697

697698
<!-- commons collections needs to be pinned to this critical security fix version -->
@@ -730,7 +731,7 @@ under the License.
730731
<dependency>
731732
<groupId>org.apache.commons</groupId>
732733
<artifactId>commons-compress</artifactId>
733-
<version>1.24.0</version>
734+
<version>1.26.0</version>
734735
<exclusions>
735736
<exclusion>
736737
<!-- Causes unnecessary dependency convergence errors; see MENFORCER-437 -->

0 commit comments

Comments
 (0)