(kafka) branch 4.1 updated: KAFKA-19359: force bump commons-beanutils for CVE-2025-48734 (#19939)

Wed, 11 Jun 2025 02:57:29 -0700 

This is an automated email from the ASF dual-hosted git repository.

showuon pushed a commit to branch 4.1
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/4.1 by this push:
     new ddc30477a99 KAFKA-19359: force bump commons-beanutils for 
CVE-2025-48734 (#19939)
ddc30477a99 is described below

commit ddc30477a99c06d1c91f53bbf1230d32fadb98d5
Author: Luke Chen <show...@gmail.com>
AuthorDate: Wed Jun 11 15:23:04 2025 +0800

    KAFKA-19359: force bump commons-beanutils for CVE-2025-48734 (#19939)
    
    Bump the commons-beanutils for CVE-2025-48734. Since `commons-validator`
    hasn't had new release with newer `commons-beanutils` versions, we manually 
bump it in kafka.
    
    Reviewers: Mickael Maison <mickael.mai...@gmail.com>
---
 LICENSE-binary             | 4 ++--
 build.gradle               | 2 ++
 gradle/dependencies.gradle | 2 ++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index fc87fb913f8..b0640c1bca7 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -206,11 +206,11 @@ This project bundles some components that are also 
licensed under the Apache
 License Version 2.0:
 
 - caffeine-3.2.0
-- commons-beanutils-1.9.4
+- commons-beanutils-1.11.0
 - commons-collections-3.2.2
 - commons-digester-2.1
 - commons-lang3-3.12.0
-- commons-logging-1.3.2
+- commons-logging-1.3.5
 - commons-validator-1.9.0
 - hash4j-0.22.0
 - jackson-annotations-2.19.0
diff --git a/build.gradle b/build.gradle
index b4e9cbb8011..767395ad32d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -193,6 +193,8 @@ allprojects {
           // ensure we have a single version in the classpath despite 
transitive dependencies
           libs.scalaLibrary,
           libs.scalaReflect,
+          // Workaround before `commons-validator` has new release. See 
KAFKA-19359.
+          libs.commonsBeanutils,
           libs.jacksonAnnotations
         )
       }
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index cf519c4af8f..cd6af7ee168 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -57,6 +57,7 @@ versions += [
   caffeine: "3.2.0",
   bndlib: "7.1.0",
   checkstyle: project.hasProperty('checkstyleVersion') ? checkstyleVersion : 
"10.20.2",
+  commonsBeanutils: "1.11.0",
   commonsValidator: "1.9.0",
   classgraph: "4.8.179",
   gradle: "8.14.1",
@@ -147,6 +148,7 @@ libs += [
   bndlib:"biz.aQute.bnd:biz.aQute.bndlib:$versions.bndlib",
   caffeine: "com.github.ben-manes.caffeine:caffeine:$versions.caffeine",
   classgraph: "io.github.classgraph:classgraph:$versions.classgraph",
+  commonsBeanutils: 
"commons-beanutils:commons-beanutils:$versions.commonsBeanutils",
   commonsValidator: 
"commons-validator:commons-validator:$versions.commonsValidator",
   jacksonAnnotations: 
"com.fasterxml.jackson.core:jackson-annotations:$versions.jackson",
   jacksonDatabind: 
"com.fasterxml.jackson.core:jackson-databind:$versions.jackson",

Reply via email to