Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Upgrade rabbitmq client to address CVE-2023-46120 #21619

Merged
merged 4 commits into from
Nov 27, 2023
Merged

[fix][sec] Upgrade rabbitmq client to address CVE-2023-46120 #21619

merged 4 commits into from
Nov 27, 2023

Conversation

liangyepianzhou
Copy link
Contributor

Motivation

owasp-dependency-check failed due to CVE-2023-46120.
All the releases between 5.5.3 and 5.18.0 are maintenance releases with usability improvement, bug fixes, and dependency upgrades. All users are encouraged to upgrade.

Release notes:
https://github.com/rabbitmq/rabbitmq-java-client/releases?page=3

Modifications

Upgrade rabbitmq client to 5.18.0.

Verifying this change

  • Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (10MB)
  • Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository:

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Nov 24, 2023
@liangyepianzhou liangyepianzhou self-assigned this Nov 24, 2023
@poorbarcode poorbarcode added this to the 3.2.0 milestone Nov 25, 2023
@lhotari
Copy link
Member

lhotari commented Nov 25, 2023

/pulsarbot rerun-failure-checks

Technoboy- and others added 3 commits November 27, 2023 14:17
@Technoboy-
fix
50bc00a
@Technoboy-
fix
5daef63
@liangyepianzhou
fix:exclusive rabbitmq client from metrics-graphite
7fb351e 
1. Add exclusive in pom.xml
2. Remove amqp-client-5.18.0.jar from LICENSE and LICENSE.bin.txt. Because the presto-distribution and pulsar-server-distribution does not contain the dependency of pulsar-io-rabbitmq
lhotari
lhotari approved these changes Nov 27, 2023
View reviewed changes
Copy link
Member

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Good work!

@Technoboy- Technoboy- merged commit 697c168 into apache:master Nov 27, 2023
47 of 49 checks passed
@liangyepianzhou liangyepianzhou deleted the xy-upgrade-rabbitmq-client branch November 27, 2023 13:23
Technoboy- added a commit that referenced this pull request Nov 28, 2023
@liangyepianzhou @Technoboy-
[fix][sec] Upgrade rabbitmq client to address CVE-2023-46120 (#21619)
e6bebab 
Co-authored-by: Jiwe Guo <technoboy@apache.org>
liangyepianzhou added a commit that referenced this pull request Nov 29, 2023
@liangyepianzhou
[fix][sec] Upgrade rabbitmq client to address CVE-2023-46120 (#21619)
0344814 
Co-authored-by: Jiwe Guo <technoboy@apache.org>
(cherry picked from commit 697c168)
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 20, 2023
@liangyepianzhou @Technoboy- @nikhil-ctds
[fix][sec] Upgrade rabbitmq client to address CVE-2023-46120 (apache#…
8f4132c 
…21619)

Co-authored-by: Jiwe Guo <technoboy@apache.org>
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 20, 2023
@liangyepianzhou @Technoboy- @srinath-ctds
[fix][sec] Upgrade rabbitmq client to address CVE-2023-46120 (apache#…
028b491 
…21619)

Co-authored-by: Jiwe Guo <technoboy@apache.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lhotari lhotari lhotari approved these changes

@RobertIndie RobertIndie RobertIndie approved these changes

@poorbarcode poorbarcode poorbarcode approved these changes

Assignees

@liangyepianzhou liangyepianzhou

Labels
cherry-picked/branch-3.0 cherry-picked/branch-3.1 doc-not-needed Your PR changes do not impact docs release/2.9.5 release/2.10.7 release/2.11.5 release/3.0.3 release/3.1.2
Projects
None yet
Milestone
3.2.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@liangyepianzhou @lhotari @RobertIndie @poorbarcode @Technoboy-