This is an automated email from the ASF dual-hosted git repository. lhotari pushed a commit to branch branch-4.0 in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 16496c20b0d5e046c0a9c5825eafb4e70cb2ca16 Author: Lari Hotari <[email protected]> AuthorDate: Mon May 11 23:36:05 2026 +0300 [fix][sec] Upgrade thrift to 0.23.0 to address CVE-2026-43869 (#25744) (cherry picked from commit 6c2fdef849acf2c66bddc8631bc86909adfe0d8e) --- distribution/server/src/assemble/LICENSE.bin.txt | 2 +- pom.xml | 40 ++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index e34de9f330f..4dd4d2b8560 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -432,7 +432,7 @@ The Apache Software License, Version 2.0 * SnakeYaml -- org.yaml-snakeyaml-2.0.jar * RocksDB - org.rocksdb-rocksdbjni-7.9.2.jar * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.45.0.jar - * Apache Thrift - org.apache.thrift-libthrift-0.14.2.jar + * Apache Thrift - org.apache.thrift-libthrift-0.23.0.jar * OkHttp3 - com.squareup.okhttp3-logging-interceptor-5.3.1.jar - com.squareup.okhttp3-okhttp-5.3.1.jar diff --git a/pom.xml b/pom.xml index 2555b72f55e..01650afcdd1 100644 --- a/pom.xml +++ b/pom.xml @@ -302,6 +302,7 @@ flexible messaging model and an intuitive client API.</description> <ant.version>1.10.12</ant.version> <seancfoley.ipaddress.version>5.5.0</seancfoley.ipaddress.version> <disruptor.version>3.4.3</disruptor.version> + <thrift.version>0.23.0</thrift.version> <!-- zstd-jni is only used for testcase, the core logic is switched to java implementation of zstd in org.apache.commons:commons-compress --> @@ -1351,6 +1352,45 @@ flexible messaging model and an intuitive client API.</description> </exclusion> </exclusions> </dependency> + <!-- libthrift is a transitive dependency of distributedlog-core. + libthrift 0.23.0 upgraded to jakarta.* and HttpComponents 5 deps for its HTTP/servlet + transports, which distributedlog-core does not use (only TJSON/TMemory serialization is needed). !--> + <dependency> + <groupId>org.apache.thrift</groupId> + <artifactId>libthrift</artifactId> + <version>${thrift.version}</version> + <exclusions> + <!-- Only TJSON/TMemory APIs are used; exclude HTTP/servlet transports and their transitives --> + <exclusion> + <groupId>org.apache.tomcat.embed</groupId> + <artifactId>tomcat-embed-core</artifactId> + </exclusion> + <exclusion> + <groupId>javax.annotation</groupId> + <artifactId>javax.annotation-api</artifactId> + </exclusion> + <exclusion> + <groupId>jakarta.annotation</groupId> + <artifactId>jakarta.annotation-api</artifactId> + </exclusion> + <exclusion> + <groupId>jakarta.servlet</groupId> + <artifactId>jakarta.servlet-api</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.httpcomponents.client5</groupId> + <artifactId>httpclient5</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.httpcomponents.core5</groupId> + <artifactId>httpcore5</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.httpcomponents.core5</groupId> + <artifactId>httpcore5-h2</artifactId> + </exclusion> + </exclusions> + </dependency> <dependency> <groupId>org.apache.commons</groupId>
