From 55ec4699d2e6e09a01afcdfbec446abe2cf67eed Mon Sep 17 00:00:00 2001
From: slfan1989 <55643692+slfan1989@users.noreply.github.com>
Date: Tue, 2 Apr 2024 21:26:11 +0800
Subject: [PATCH] [FLINK-34955] Upgrade commons-compress to 1.26.0.
Addresses 2 CVE as described at https://mvnrepository.com/artifact/org.apache.commons/commons-compress.
---
flink-dist/src/main/resources/META-INF/NOTICE | 4 ++--
flink-end-to-end-tests/flink-sql-client-test/pom.xml | 7 +++++++
.../src/main/resources/META-INF/NOTICE | 4 ++--
.../src/main/resources/META-INF/NOTICE | 4 ++--
.../src/main/resources/META-INF/NOTICE | 4 ++--
.../src/main/resources/META-INF/NOTICE | 3 ++-
.../src/main/resources/META-INF/NOTICE | 2 +-
flink-python/pom.xml | 12 ++++++++++++
.../src/main/resources/META-INF/NOTICE | 2 +-
pom.xml | 5 +++--
10 files changed, 34 insertions(+), 13 deletions(-)
diff --git a/flink-dist/src/main/resources/META-INF/NOTICE b/flink-dist/src/main/resources/META-INF/NOTICE
index 8eb3dbc5dc798..bb94111ed64b0 100644
--- a/flink-dist/src/main/resources/META-INF/NOTICE
+++ b/flink-dist/src/main/resources/META-INF/NOTICE
@@ -11,8 +11,8 @@ This project bundles the following dependencies under the Apache Software Licens
- com.ververica:frocksdbjni:6.20.3-ververica-2.0
- commons-cli:commons-cli:1.5.0
- commons-collections:commons-collections:3.2.2
-- commons-io:commons-io:2.11.0
-- org.apache.commons:commons-compress:1.21
+- commons-io:commons-io:2.15.1
+- org.apache.commons:commons-compress:1.26.0
- org.apache.commons:commons-lang3:3.12.0
- org.apache.commons:commons-math3:3.6.1
- org.apache.commons:commons-text:1.10.0
diff --git a/flink-end-to-end-tests/flink-sql-client-test/pom.xml b/flink-end-to-end-tests/flink-sql-client-test/pom.xml
index 5e816c6694366..d7c1c1dc567ba 100644
--- a/flink-end-to-end-tests/flink-sql-client-test/pom.xml
+++ b/flink-end-to-end-tests/flink-sql-client-test/pom.xml
@@ -69,6 +69,13 @@ under the License.
kafka
test
+
+
+ commons-codec
+ commons-codec
+ test
+
+
diff --git a/flink-filesystems/flink-fs-hadoop-shaded/src/main/resources/META-INF/NOTICE b/flink-filesystems/flink-fs-hadoop-shaded/src/main/resources/META-INF/NOTICE
index 0236725e0a47f..41d0788e3b70b 100644
--- a/flink-filesystems/flink-fs-hadoop-shaded/src/main/resources/META-INF/NOTICE
+++ b/flink-filesystems/flink-fs-hadoop-shaded/src/main/resources/META-INF/NOTICE
@@ -16,9 +16,9 @@ This project bundles the following dependencies under the Apache Software Licens
- com.google.j2objc:j2objc-annotations:1.1
- commons-beanutils:commons-beanutils:1.9.4
- commons-collections:commons-collections:3.2.2
-- commons-io:commons-io:2.11.0
+- commons-io:commons-io:2.15.1
- commons-logging:commons-logging:1.1.3
-- org.apache.commons:commons-compress:1.21
+- org.apache.commons:commons-compress:1.26.0
- org.apache.commons:commons-configuration2:2.1.1
- org.apache.commons:commons-lang3:3.12.0
- org.apache.commons:commons-text:1.10.0
diff --git a/flink-filesystems/flink-s3-fs-hadoop/src/main/resources/META-INF/NOTICE b/flink-filesystems/flink-s3-fs-hadoop/src/main/resources/META-INF/NOTICE
index c16ab1adc986d..5e66fa4612a1f 100644
--- a/flink-filesystems/flink-s3-fs-hadoop/src/main/resources/META-INF/NOTICE
+++ b/flink-filesystems/flink-s3-fs-hadoop/src/main/resources/META-INF/NOTICE
@@ -21,10 +21,10 @@ This project bundles the following dependencies under the Apache Software Licens
- commons-beanutils:commons-beanutils:1.9.4
- commons-codec:commons-codec:1.15
- commons-collections:commons-collections:3.2.2
-- commons-io:commons-io:2.11.0
+- commons-io:commons-io:2.15.1
- commons-logging:commons-logging:1.1.3
- joda-time:joda-time:2.5
-- org.apache.commons:commons-compress:1.21
+- org.apache.commons:commons-compress:1.26.0
- org.apache.commons:commons-configuration2:2.1.1
- org.apache.commons:commons-lang3:3.12.0
- org.apache.commons:commons-text:1.10.0
diff --git a/flink-filesystems/flink-s3-fs-presto/src/main/resources/META-INF/NOTICE b/flink-filesystems/flink-s3-fs-presto/src/main/resources/META-INF/NOTICE
index 3356afa220538..eccf85b9a1a3c 100644
--- a/flink-filesystems/flink-s3-fs-presto/src/main/resources/META-INF/NOTICE
+++ b/flink-filesystems/flink-s3-fs-presto/src/main/resources/META-INF/NOTICE
@@ -30,13 +30,13 @@ This project bundles the following dependencies under the Apache Software Licens
- commons-beanutils:commons-beanutils:1.9.4
- commons-codec:commons-codec:1.15
- commons-collections:commons-collections:3.2.2
-- commons-io:commons-io:2.11.0
+- commons-io:commons-io:2.15.1
- commons-logging:commons-logging:1.1.3
- io.airlift:slice:0.38
- io.airlift:units:1.3
- joda-time:joda-time:2.5
- org.alluxio:alluxio-shaded-client:2.7.3
-- org.apache.commons:commons-compress:1.21
+- org.apache.commons:commons-compress:1.26.0
- org.apache.commons:commons-configuration2:2.1.1
- org.apache.commons:commons-lang3:3.12.0
- org.apache.commons:commons-text:1.10.0
diff --git a/flink-formats/flink-sql-avro-confluent-registry/src/main/resources/META-INF/NOTICE b/flink-formats/flink-sql-avro-confluent-registry/src/main/resources/META-INF/NOTICE
index f4fd1a6308df5..c826460c9116e 100644
--- a/flink-formats/flink-sql-avro-confluent-registry/src/main/resources/META-INF/NOTICE
+++ b/flink-formats/flink-sql-avro-confluent-registry/src/main/resources/META-INF/NOTICE
@@ -14,7 +14,8 @@ This project bundles the following dependencies under the Apache Software Licens
- io.confluent:common-utils:7.2.2
- io.confluent:kafka-schema-registry-client:7.2.2
- org.apache.avro:avro:1.11.3
-- org.apache.commons:commons-compress:1.21
+- org.apache.commons:commons-compress:1.26.0
+- org.apache.commons:commons-lang3:3.12.0
- org.apache.kafka:kafka-clients:7.2.2-ccs
- org.glassfish.jersey.core:jersey-common:2.30
- org.xerial.snappy:snappy-java:1.1.10.4
diff --git a/flink-formats/flink-sql-avro/src/main/resources/META-INF/NOTICE b/flink-formats/flink-sql-avro/src/main/resources/META-INF/NOTICE
index 4cf05a46b4a55..fa88a91991a51 100644
--- a/flink-formats/flink-sql-avro/src/main/resources/META-INF/NOTICE
+++ b/flink-formats/flink-sql-avro/src/main/resources/META-INF/NOTICE
@@ -10,4 +10,4 @@ This project bundles the following dependencies under the Apache Software Licens
- com.fasterxml.jackson.core:jackson-core:2.14.3
- com.fasterxml.jackson.core:jackson-databind:2.14.3
- com.fasterxml.jackson.core:jackson-annotations:2.14.3
-- org.apache.commons:commons-compress:1.21
+- org.apache.commons:commons-compress:1.26.0
diff --git a/flink-python/pom.xml b/flink-python/pom.xml
index 1de01168204a2..5223b53b4d69a 100644
--- a/flink-python/pom.xml
+++ b/flink-python/pom.xml
@@ -368,6 +368,18 @@ under the License.
test
+
+ commons-io
+ commons-io
+ ${commons.io.version}
+ test
+
+
+
+ org.apache.commons
+ commons-lang3
+
+
diff --git a/flink-table/flink-table-planner/src/main/resources/META-INF/NOTICE b/flink-table/flink-table-planner/src/main/resources/META-INF/NOTICE
index b792e12018be4..6ddda17587012 100644
--- a/flink-table/flink-table-planner/src/main/resources/META-INF/NOTICE
+++ b/flink-table/flink-table-planner/src/main/resources/META-INF/NOTICE
@@ -12,7 +12,7 @@ This project bundles the following dependencies under the Apache Software Licens
- org.apache.calcite:calcite-linq4j:1.32.0
- org.apache.calcite.avatica:avatica-core:1.22.0
- commons-codec:commons-codec:1.15
-- commons-io:commons-io:2.11.0
+- commons-io:commons-io:2.15.1
This project bundles the following dependencies under the MIT License. (http://www.opensource.org/licenses/mit-license.php)
diff --git a/pom.xml b/pom.xml
index af682b015978c..1b1f5babe3741 100644
--- a/pom.xml
+++ b/pom.xml
@@ -160,6 +160,7 @@ under the License.
3.14.9
1.18.3
1.8.0
+ 2.15.1
false
validate
@@ -722,7 +723,7 @@ under the License.
org.apache.commons
commons-compress
- 1.21
+ 1.26.0