This is an automated email from the ASF dual-hosted git repository.
mbalassi pushed a commit to branch release-1.18
in repository https://gitbox.apache.org/repos/asf/flink.git
The following commit(s) were added to refs/heads/release-1.18 by this push:
new 1711ba85744 [FLINK-34955] Upgrade commons-compress to 1.26.0.
1711ba85744 is described below
commit 1711ba85744d917ca63d989bf4c120c6aebda9ba
Author: Márton Balassi <mar...@apple.com>
AuthorDate: Wed Apr 3 15:06:53 2024 +0200
[FLINK-34955] Upgrade commons-compress to 1.26.0.
Addresses 2 CVE as described at
https://mvnrepository.com/artifact/org.apache.commons/commons-compress.
---------
Co-authored-by: slfan1989 <55643692+slfan1...@users.noreply.github.com>
---
flink-dist/src/main/resources/META-INF/NOTICE | 4 ++--
flink-end-to-end-tests/flink-sql-client-test/pom.xml | 7 +++++++
.../src/main/resources/META-INF/NOTICE | 4 ++--
.../flink-s3-fs-hadoop/src/main/resources/META-INF/NOTICE | 4 ++--
.../flink-s3-fs-presto/src/main/resources/META-INF/NOTICE | 4 ++--
.../src/main/resources/META-INF/NOTICE | 4 +++-
.../flink-sql-avro/src/main/resources/META-INF/NOTICE | 2 +-
flink-python/pom.xml | 12 ++++++++++++
.../flink-table-planner/src/main/resources/META-INF/NOTICE | 2 +-
pom.xml | 5 +++--
10 files changed, 35 insertions(+), 13 deletions(-)
diff --git a/flink-dist/src/main/resources/META-INF/NOTICE
b/flink-dist/src/main/resources/META-INF/NOTICE
index 8eb3dbc5dc7..bb94111ed64 100644
--- a/flink-dist/src/main/resources/META-INF/NOTICE
+++ b/flink-dist/src/main/resources/META-INF/NOTICE
@@ -11,8 +11,8 @@ This project bundles the following dependencies under the
Apache Software Licens
- com.ververica:frocksdbjni:6.20.3-ververica-2.0
- commons-cli:commons-cli:1.5.0
- commons-collections:commons-collections:3.2.2
-- commons-io:commons-io:2.11.0
-- org.apache.commons:commons-compress:1.21
+- commons-io:commons-io:2.15.1
+- org.apache.commons:commons-compress:1.26.0
- org.apache.commons:commons-lang3:3.12.0
- org.apache.commons:commons-math3:3.6.1
- org.apache.commons:commons-text:1.10.0
diff --git a/flink-end-to-end-tests/flink-sql-client-test/pom.xml
b/flink-end-to-end-tests/flink-sql-client-test/pom.xml
index 5e816c66943..d7c1c1dc567 100644
--- a/flink-end-to-end-tests/flink-sql-client-test/pom.xml
+++ b/flink-end-to-end-tests/flink-sql-client-test/pom.xml
@@ -69,6 +69,13 @@ under the License.
<artifactId>kafka</artifactId>
<scope>test</scope>
</dependency>
+
+ <dependency>
+ <groupId>commons-codec</groupId>
+ <artifactId>commons-codec</artifactId>
+ <scope>test</scope>
+ </dependency>
+
</dependencies>
<dependencyManagement>
diff --git
a/flink-filesystems/flink-fs-hadoop-shaded/src/main/resources/META-INF/NOTICE
b/flink-filesystems/flink-fs-hadoop-shaded/src/main/resources/META-INF/NOTICE
index 0236725e0a4..41d0788e3b7 100644
---
a/flink-filesystems/flink-fs-hadoop-shaded/src/main/resources/META-INF/NOTICE
+++
b/flink-filesystems/flink-fs-hadoop-shaded/src/main/resources/META-INF/NOTICE
@@ -16,9 +16,9 @@ This project bundles the following dependencies under the
Apache Software Licens
- com.google.j2objc:j2objc-annotations:1.1
- commons-beanutils:commons-beanutils:1.9.4
- commons-collections:commons-collections:3.2.2
-- commons-io:commons-io:2.11.0
+- commons-io:commons-io:2.15.1
- commons-logging:commons-logging:1.1.3
-- org.apache.commons:commons-compress:1.21
+- org.apache.commons:commons-compress:1.26.0
- org.apache.commons:commons-configuration2:2.1.1
- org.apache.commons:commons-lang3:3.12.0
- org.apache.commons:commons-text:1.10.0
diff --git
a/flink-filesystems/flink-s3-fs-hadoop/src/main/resources/META-INF/NOTICE
b/flink-filesystems/flink-s3-fs-hadoop/src/main/resources/META-INF/NOTICE
index c16ab1adc98..5e66fa4612a 100644
--- a/flink-filesystems/flink-s3-fs-hadoop/src/main/resources/META-INF/NOTICE
+++ b/flink-filesystems/flink-s3-fs-hadoop/src/main/resources/META-INF/NOTICE
@@ -21,10 +21,10 @@ This project bundles the following dependencies under the
Apache Software Licens
- commons-beanutils:commons-beanutils:1.9.4
- commons-codec:commons-codec:1.15
- commons-collections:commons-collections:3.2.2
-- commons-io:commons-io:2.11.0
+- commons-io:commons-io:2.15.1
- commons-logging:commons-logging:1.1.3
- joda-time:joda-time:2.5
-- org.apache.commons:commons-compress:1.21
+- org.apache.commons:commons-compress:1.26.0
- org.apache.commons:commons-configuration2:2.1.1
- org.apache.commons:commons-lang3:3.12.0
- org.apache.commons:commons-text:1.10.0
diff --git
a/flink-filesystems/flink-s3-fs-presto/src/main/resources/META-INF/NOTICE
b/flink-filesystems/flink-s3-fs-presto/src/main/resources/META-INF/NOTICE
index 3356afa2205..eccf85b9a1a 100644
--- a/flink-filesystems/flink-s3-fs-presto/src/main/resources/META-INF/NOTICE
+++ b/flink-filesystems/flink-s3-fs-presto/src/main/resources/META-INF/NOTICE
@@ -30,13 +30,13 @@ This project bundles the following dependencies under the
Apache Software Licens
- commons-beanutils:commons-beanutils:1.9.4
- commons-codec:commons-codec:1.15
- commons-collections:commons-collections:3.2.2
-- commons-io:commons-io:2.11.0
+- commons-io:commons-io:2.15.1
- commons-logging:commons-logging:1.1.3
- io.airlift:slice:0.38
- io.airlift:units:1.3
- joda-time:joda-time:2.5
- org.alluxio:alluxio-shaded-client:2.7.3
-- org.apache.commons:commons-compress:1.21
+- org.apache.commons:commons-compress:1.26.0
- org.apache.commons:commons-configuration2:2.1.1
- org.apache.commons:commons-lang3:3.12.0
- org.apache.commons:commons-text:1.10.0
diff --git
a/flink-formats/flink-sql-avro-confluent-registry/src/main/resources/META-INF/NOTICE
b/flink-formats/flink-sql-avro-confluent-registry/src/main/resources/META-INF/NOTICE
index f4fd1a6308d..95f32db6217 100644
---
a/flink-formats/flink-sql-avro-confluent-registry/src/main/resources/META-INF/NOTICE
+++
b/flink-formats/flink-sql-avro-confluent-registry/src/main/resources/META-INF/NOTICE
@@ -10,11 +10,13 @@ This project bundles the following dependencies under the
Apache Software Licens
- com.fasterxml.jackson.core:jackson-core:2.14.3
- com.fasterxml.jackson.core:jackson-databind:2.14.3
- com.google.guava:guava:30.1.1-jre
+- commons-io:commons-io:2.15.1
- io.confluent:common-config:7.2.2
- io.confluent:common-utils:7.2.2
- io.confluent:kafka-schema-registry-client:7.2.2
- org.apache.avro:avro:1.11.3
-- org.apache.commons:commons-compress:1.21
+- org.apache.commons:commons-compress:1.26.0
+- org.apache.commons:commons-lang3:3.12.0
- org.apache.kafka:kafka-clients:7.2.2-ccs
- org.glassfish.jersey.core:jersey-common:2.30
- org.xerial.snappy:snappy-java:1.1.10.4
diff --git a/flink-formats/flink-sql-avro/src/main/resources/META-INF/NOTICE
b/flink-formats/flink-sql-avro/src/main/resources/META-INF/NOTICE
index 4cf05a46b4a..fa88a91991a 100644
--- a/flink-formats/flink-sql-avro/src/main/resources/META-INF/NOTICE
+++ b/flink-formats/flink-sql-avro/src/main/resources/META-INF/NOTICE
@@ -10,4 +10,4 @@ This project bundles the following dependencies under the
Apache Software Licens
- com.fasterxml.jackson.core:jackson-core:2.14.3
- com.fasterxml.jackson.core:jackson-databind:2.14.3
- com.fasterxml.jackson.core:jackson-annotations:2.14.3
-- org.apache.commons:commons-compress:1.21
+- org.apache.commons:commons-compress:1.26.0
diff --git a/flink-python/pom.xml b/flink-python/pom.xml
index 1de01168204..5223b53b4d6 100644
--- a/flink-python/pom.xml
+++ b/flink-python/pom.xml
@@ -368,6 +368,18 @@ under the License.
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <version>${commons.io.version}</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-lang3</artifactId>
+ </dependency>
+
</dependencies>
<dependencyManagement>
diff --git a/flink-table/flink-table-planner/src/main/resources/META-INF/NOTICE
b/flink-table/flink-table-planner/src/main/resources/META-INF/NOTICE
index b792e12018b..6ddda175870 100644
--- a/flink-table/flink-table-planner/src/main/resources/META-INF/NOTICE
+++ b/flink-table/flink-table-planner/src/main/resources/META-INF/NOTICE
@@ -12,7 +12,7 @@ This project bundles the following dependencies under the
Apache Software Licens
- org.apache.calcite:calcite-linq4j:1.32.0
- org.apache.calcite.avatica:avatica-core:1.22.0
- commons-codec:commons-codec:1.15
-- commons-io:commons-io:2.11.0
+- commons-io:commons-io:2.15.1
This project bundles the following dependencies under the MIT License.
(http://www.opensource.org/licenses/mit-license.php)
diff --git a/pom.xml b/pom.xml
index af682b01597..1b1f5babe37 100644
--- a/pom.xml
+++ b/pom.xml
@@ -160,6 +160,7 @@ under the License.
<okhttp.version>3.14.9</okhttp.version>
<testcontainers.version>1.18.3</testcontainers.version>
<lz4.version>1.8.0</lz4.version>
+ <commons.io.version>2.15.1</commons.io.version>
<japicmp.skip>false</japicmp.skip>
<flink.convergence.phase>validate</flink.convergence.phase>
<!--
@@ -683,7 +684,7 @@ under the License.
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
- <version>2.11.0</version>
+ <version>${commons.io.version}</version>
</dependency>
<!-- commons collections needs to be pinned to this
critical security fix version -->
@@ -722,7 +723,7 @@ under the License.
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
- <version>1.21</version>
+ <version>1.26.0</version>
<exclusions>
<exclusion>
<!-- Causes unnecessary
dependency convergence errors; see MENFORCER-437 -->
