This is an automated email from the ASF dual-hosted git repository. ckj pushed a commit to branch branch-0.6 in repository https://gitbox.apache.org/repos/asf/incubator-uniffle.git
commit d4532f458bcd2d25e7e0662cab59e3fd811ef62e Author: Kaijie Chen <[email protected]> AuthorDate: Wed Jan 11 10:07:15 2023 +0800 [Deps] Bump slf4j to fix vulnerability in slf4j-log4j12 (#464) ### What changes were proposed in this pull request? Bump slf4j to 1.7.36 to fix vulnerability in slf4j-log4j12. Btw, slf4j:1.7.36 depends on reload4j:1.2.19 instead of log4j. ### Why are the changes needed? slf4j-log4j12:1.7.25 provides transitive vulnerable dependency log4j:1.2.17 * CVE-2019-17571 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation * CVE-2021-4104 7.5 Deserialization of Untrusted Data vulnerability with medium severity found * CVE-2022-23302 8.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation * CVE-2022-23305 9.8 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability pending CVSS allocation * CVE-2022-23307 8.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? No need. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index e05da796..718af206 100644 --- a/pom.xml +++ b/pom.xml @@ -71,7 +71,7 @@ <roaring.bitmap.version>0.9.15</roaring.bitmap.version> <rss.shade.packageName>org.apache.uniffle</rss.shade.packageName> <skipDeploy>false</skipDeploy> - <slf4j.version>1.7.25</slf4j.version> + <slf4j.version>1.7.36</slf4j.version> <spotbugs.version>4.7.0</spotbugs.version> <spotbugs-maven-plugin.version>4.7.0.0</spotbugs-maven-plugin.version> <system-rules.version>1.19.0</system-rules.version>
