(camel) branch camel-4.8.x updated: Fix CVE (#15955)

Tue, 15 Oct 2024 03:46:31 -0700 

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch camel-4.8.x
in repository https://gitbox.apache.org/repos/asf/camel.git


The following commit(s) were added to refs/heads/camel-4.8.x by this push:
     new dfff1f212da Fix CVE (#15955)
dfff1f212da is described below

commit dfff1f212dabb0b6f0af1d767961b18b50b7f63c
Author: Federico Mariani <[email protected]>
AuthorDate: Tue Oct 15 12:46:20 2024 +0200

    Fix CVE (#15955)
    
    * Fix Avro CVE In Jackson Databind Avro
    
    Fix avro CVE in Jackson Dataformat
    
    * Move from libtinfo5 to libtinfo6
    
    Signed-off-by: Andrea Cosentino <[email protected]>
    
    ---------
    
    Signed-off-by: Andrea Cosentino <[email protected]>
    Co-authored-by: Andrea Cosentino <[email protected]>
---
 .github/actions/install-packages/action.yml |  2 +-
 components/camel-jackson-avro/pom.xml       | 12 ++++++++++++
 parent/pom.xml                              |  6 +++---
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/.github/actions/install-packages/action.yml 
b/.github/actions/install-packages/action.yml
index f100119a738..46f8a0a52ec 100644
--- a/.github/actions/install-packages/action.yml
+++ b/.github/actions/install-packages/action.yml
@@ -22,5 +22,5 @@ runs:
   steps:
     - run: sudo apt-get update
       shell: bash
-    - run: sudo apt-get install -qqy --no-install-recommends libtinfo5
+    - run: sudo apt-get install -qqy --no-install-recommends libtinfo6
       shell: bash
diff --git a/components/camel-jackson-avro/pom.xml 
b/components/camel-jackson-avro/pom.xml
index 34f8049c556..e476353f589 100644
--- a/components/camel-jackson-avro/pom.xml
+++ b/components/camel-jackson-avro/pom.xml
@@ -49,6 +49,18 @@
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-avro</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.avro</groupId>
+                    <artifactId>avro</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <!-- Remove the exlcusion and the dependency once the CVE-2024-47561 
is fixed in jackson-dataformat-avro -->
+        <dependency>
+            <groupId>org.apache.avro</groupId>
+            <artifactId>avro</artifactId>
+            <version>${avro-version}</version>
         </dependency>
 
         <!-- testing -->
diff --git a/parent/pom.xml b/parent/pom.xml
index 646468272b0..ee6c5a1117d 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -72,9 +72,9 @@
         <asterisk-java-version>3.39.0</asterisk-java-version>
         <atlassian-fugue-version>6.1.0</atlassian-fugue-version>
         <atmosphere-version>3.0.10</atmosphere-version>
-        <avro-version>1.12.0</avro-version>
-        <avro-ipc-jetty-version>1.12.0</avro-ipc-jetty-version>
-        <avro-ipc-netty-version>1.12.0</avro-ipc-netty-version>
+        <avro-version>1.11.4</avro-version>
+        <avro-ipc-jetty-version>1.11.4</avro-ipc-jetty-version>
+        <avro-ipc-netty-version>1.11.4</avro-ipc-netty-version>
         <awaitility-version>4.2.2</awaitility-version>
         <aws-java-sdk2-version>2.27.19</aws-java-sdk2-version>
         <aws-xray-version>2.18.1</aws-xray-version>

Reply via email to