This is an automated email from the ASF dual-hosted git repository.
showuon pushed a commit to branch 4.0
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/4.0 by this push:
new 00a1b1e8ceb Bump the commons-beanutils for CVE-2025-48734. Since
`commons-validator` hasn't had new release with newer `commons-beanutils`
versions, we manually bump it in kafka.
00a1b1e8ceb is described below
commit 00a1b1e8ceb1653bbd725c93cabc836df60657c0
Author: Luke Chen <[email protected]>
AuthorDate: Wed Jun 11 15:27:22 2025 +0800
Bump the commons-beanutils for CVE-2025-48734. Since `commons-validator`
hasn't had new release with newer `commons-beanutils` versions, we manually
bump it in kafka.
Reviewers: Mickael Maison <[email protected]>
---
LICENSE-binary | 4 ++--
build.gradle | 2 ++
gradle/dependencies.gradle | 2 ++
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/LICENSE-binary b/LICENSE-binary
index 380af15b5c1..8ceda84ebe8 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -206,11 +206,11 @@ This project bundles some components that are also
licensed under the Apache
License Version 2.0:
- caffeine-3.1.1
-- commons-beanutils-1.9.4
+- commons-beanutils-1.11.0
- commons-collections-3.2.2
- commons-digester-2.1
- commons-lang3-3.12.0
-- commons-logging-1.3.2
+- commons-logging-1.3.5
- commons-validator-1.9.0
- jackson-annotations-2.16.2
- jackson-core-2.16.2
diff --git a/build.gradle b/build.gradle
index 243f181c0bf..05d38aface2 100644
--- a/build.gradle
+++ b/build.gradle
@@ -197,6 +197,8 @@ allprojects {
// ensure we have a single version in the classpath despite
transitive dependencies
libs.scalaLibrary,
libs.scalaReflect,
+ // Workaround before `commons-validator` has new release. See
KAFKA-19359.
+ libs.commonsBeanutils,
libs.jacksonAnnotations
)
}
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 66eca369aa2..5debdea5a0c 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -60,6 +60,7 @@ versions += [
caffeine: "3.1.1",
bndlib: "7.0.0",
checkstyle: project.hasProperty('checkstyleVersion') ? checkstyleVersion :
"10.20.2",
+ commonsBeanutils: "1.11.0",
commonsValidator: "1.9.0",
classgraph: "4.8.173",
gradle: "8.10.2",
@@ -148,6 +149,7 @@ libs += [
bndlib:"biz.aQute.bnd:biz.aQute.bndlib:$versions.bndlib",
caffeine: "com.github.ben-manes.caffeine:caffeine:$versions.caffeine",
classgraph: "io.github.classgraph:classgraph:$versions.classgraph",
+ commonsBeanutils:
"commons-beanutils:commons-beanutils:$versions.commonsBeanutils",
commonsValidator:
"commons-validator:commons-validator:$versions.commonsValidator",
jacksonAnnotations:
"com.fasterxml.jackson.core:jackson-annotations:$versions.jackson",
jacksonDatabind:
"com.fasterxml.jackson.core:jackson-databind:$versions.jackson",
