[To dev/1.3] Cherry-pick some CVE fixes (#16901)
* Bump logback version to 1.3.16 (#16671)
* Switch to at.yawk.lz4:lz4-java:1.10.0 (#16871)
* Upgrade netty and reactor (#16362)
* fix netty version
* Fix some dependency issues
* Fix build error
* Bump at.yawk.lz4:lz4-java from 1.10.0 to 1.10.1 (#16874)
Bumps [at.yawk.lz4:lz4-java](https://github.com/yawkat/lz4-java) from 1.10.0 to 1.10.1.
- [Release notes](https://github.com/yawkat/lz4-java/releases)
- [Changelog](https://github.com/yawkat/lz4-java/blob/main/CHANGES.md)
- [Commits](https://github.com/yawkat/lz4-java/compare/v1.10.0...v1.10.1)
---
updated-dependencies:
- dependency-name: at.yawk.lz4:lz4-java
dependency-version: 1.10.1
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix error
* fix error
* fix compile error
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
diff --git a/LICENSE-binary b/LICENSE-binary
index c088b00..a7df19a 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -213,33 +213,33 @@
The binary distribution of this product bundles these dependencies under the
following license. See licenses/ for text of these licenses.
-Apache Software Foundation License 2.0
+Apache License 2.0
--------------------------------------
commons-cli:commons-cli:1.5.0
commons-codec:commons-codec:1.16.1
org.apache.commons:commons-collections4:4.4
commons-io:commons-io:2.14.0
-org.apache.commons:commons-lang3:3.13.0
+org.apache.commons:commons-lang3:3.18.0
com.nimbusds:content-type:2.2
-com.google.code.gson:gson:2.10.1
+com.google.code.gson:gson:2.13.1
com.google.guava.guava:32.1.2-jre
-com.fasterxml.jackson.core:jackson-annotations:2.15.4
-com.fasterxml.jackson.core:jackson-core:2.15.4
-com.fasterxml.jackson.core:jackson-databind:2.15.4
+com.fasterxml.jackson.core:jackson-annotations:2.16.2
+com.fasterxml.jackson.core:jackson-core:2.16.2
+com.fasterxml.jackson.core:jackson-databind:2.16.2
jakarta.inject:jakarta.inject:2.6.1
-org.lz4:lz4-java:1.8.0
+at.yawk.lz4:lz4-java:1.10.0
com.github.stephenc.jcip:jcip-annotations:1.0-1
com.github.ben-manes.caffeine:caffeine:2.9.3
-org.eclipse.jetty:jetty-http:9.4.56.v20240826
-org.eclipse.jetty:jetty-io:9.4.56.v20240826
-org.eclipse.jetty:jetty-security:9.4.56.v20240826
-org.eclipse.jetty:jetty-server:9.4.56.v20240826
-org.eclipse.jetty:jetty-servlet:9.4.56.v20240826
-org.eclipse.jetty:jetty-util:9.4.56.v20240826
-io.jsonwebtoken:jjwt-api:0.11.5
-io.jsonwebtoken:jjwt-impl:0.11.5
-io.jsonwebtoken:jjwt-jackson:0.11.5
-net.minidev:json-smart:2.5.0
+org.eclipse.jetty:jetty-http:9.4.57.v20241219
+org.eclipse.jetty:jetty-io:9.4.57.v20241219
+org.eclipse.jetty:jetty-security:9.4.57.v20241219
+org.eclipse.jetty:jetty-server:9.4.57.v20241219
+org.eclipse.jetty:jetty-servlet:9.4.57.v20241219
+org.eclipse.jetty:jetty-util:9.4.57.v20241219
+io.jsonwebtoken:jjwt-api:0.12.7
+io.jsonwebtoken:jjwt-impl:0.12.7
+io.jsonwebtoken:jjwt-jackson:0.12.7
+net.minidev:json-smart:2.5.2
com.google.code.findbugs:jsr305:3.0.2
com.nimbusds:lang-tag:1.7
com.librato.metrics:librato-java:2.1.0
@@ -247,18 +247,19 @@
io.dropwizard.metrics:metrics-core:4.2.19
io.dropwizard.metrics:metrics-jvm:3.2.2
com.librato.metrics:metrics-librato:5.1.0
-de.fraunhofer.iosb.io.moquette:moquette-broker:0.17
-io.netty:netty-buffer:4.1.110.Final
-io.netty:netty-codec:4.1.110.Final
-io.netty:netty-codec-http:4.1.110.Final
-io.netty:netty-codec-mqtt:4.1.110.Final
-io.netty:netty-common:4.1.110.Final
-io.netty:netty-handler:4.1.110.Final
-io.netty:netty-resolver:4.1.110.Final
-io.netty:netty-transport:4.1.110.Final
-io.netty:netty-transport-native-epoll:4.1.110.Final:linux-x86_64
-io.netty:netty-transport-native-unix-common:4.1.110.Final
-com.nimbusds:nimbus-jose-jwt:9.37.3
+com.github.moquette-io.moquette:moquette-broker:0.18
+io.netty:netty-buffer:4.1.126.Final
+io.netty:netty-codec:4.1.126.Final
+io.netty:netty-codec-http:4.1.126.Final
+io.netty:netty-codec-mqtt:4.1.126.Final
+io.netty:netty-common:4.1.126.Final
+io.netty:netty-handler:4.1.126.Final
+io.netty:netty-resolver:4.1.126.Final
+io.netty:netty-transport:4.1.126.Final
+io.netty:netty-transport-native-epoll:4.1.126.Final:linux-aarch_64
+io.netty:netty-transport-native-epoll:4.1.126.Final:linux-x86_64
+io.netty:netty-transport-native-unix-common:4.1.126.Final
+com.nimbusds:nimbus-jose-jwt:9.37.4
com.nimbusds:oauth2-oidc-sdk:10.15
org.osgi:org.osgi.core:7.0.0
org.osgi:osgi.cmpn:7.0.0
@@ -289,8 +290,8 @@
EPL 1.0
------------
com.h2database:h2-mvstore:2.1.212
-ch.qos.logback:logback-classic:1.3.14
-ch.qos.logback:logback-core:1.3.14
+ch.qos.logback:logback-classic:1.3.15
+ch.qos.logback:logback-core:1.3.15
CDDL 1.1
diff --git a/NOTICE b/NOTICE
index 1e81e8b..fa52a36 100644
--- a/NOTICE
+++ b/NOTICE
@@ -1,5 +1,5 @@
Apache IoTDB
-Copyright 2018-2024 The Apache Software Foundation.
+Copyright 2018-2025 The Apache Software Foundation.
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
diff --git a/NOTICE-binary b/NOTICE-binary
index 1e81e8b..fa52a36 100644
--- a/NOTICE-binary
+++ b/NOTICE-binary
@@ -1,5 +1,5 @@
Apache IoTDB
-Copyright 2018-2024 The Apache Software Foundation.
+Copyright 2018-2025 The Apache Software Foundation.
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
diff --git a/iotdb-core/datanode/pom.xml b/iotdb-core/datanode/pom.xml
index b97a532..21e1114 100644
--- a/iotdb-core/datanode/pom.xml
+++ b/iotdb-core/datanode/pom.xml
@@ -174,10 +174,6 @@
<artifactId>jna-platform</artifactId>
</dependency>
<dependency>
- <groupId>io.jsonwebtoken</groupId>
- <artifactId>jjwt-api</artifactId>
- </dependency>
- <dependency>
<groupId>org.eclipse.milo</groupId>
<artifactId>stack-core</artifactId>
</dependency>
diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java
index 09c2b1d..2cc1a66 100644
--- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java
+++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java
@@ -171,7 +171,6 @@
import org.apache.iotdb.service.rpc.thrift.TSyncTransportMetaInfo;
import io.airlift.units.Duration;
-import io.jsonwebtoken.lang.Strings;
import org.apache.commons.lang3.StringUtils;
import org.apache.thrift.TException;
import org.apache.tsfile.block.column.Column;
@@ -1151,7 +1150,7 @@
String database = req.getDatabase();
if (StringUtils.isEmpty(database)) {
- String[] splits = Strings.split(req.getDevice(), "\\.");
+ String[] splits = req.getDevice().split("\\.");
database = String.format("%s.%s", splits[0], splits[1]);
}
String deviceId = req.getDevice();
diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/utils/datastructure/TVList.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/utils/datastructure/TVList.java
index 8fa7925..fedc383 100644
--- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/utils/datastructure/TVList.java
+++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/utils/datastructure/TVList.java
@@ -964,7 +964,7 @@
TSDataType dataType = getDataType();
int maxRowCountOfCurrentBatch =
Math.min(
- paginationController.hasLimit()
+ paginationController.hasSetLimit()
? (int) paginationController.getCurLimit()
: Integer.MAX_VALUE,
Math.min(maxNumberOfPointsInPage, rows - index));
diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java
index b838ae2..29b7e41 100644
--- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java
+++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java
@@ -30,7 +30,6 @@
import org.apache.iotdb.db.utils.EnvironmentUtils;
import org.apache.iotdb.db.utils.constant.TestConstant;
-import io.jsonwebtoken.lang.Assert;
import org.apache.commons.io.FileUtils;
import org.junit.After;
import org.junit.Before;
@@ -171,8 +170,8 @@
}
}
}
- Assert.isTrue(manager.getRole("test").getPathPrivilegeList().size() == 4);
- Assert.isTrue(!manager.getRole("test").getServiceReady());
+ assertEquals(4, manager.getRole("test").getPathPrivilegeList().size());
+ assertFalse(manager.getRole("test").getServiceReady());
manager.checkAndRefreshPathPri();
// after refresh. we will have three path:
@@ -217,17 +216,17 @@
PartialPath path2 = new PartialPath("root.d.a");
for (PrivilegeType pri : item.getSubPri()) {
if (pri.isPathRelevant()) {
- Assert.isTrue(manager.getRole("test").checkPathPrivilege(path1, pri.ordinal()));
- Assert.isTrue(manager.getRole("test").checkPathPrivilege(path2, pri.ordinal()));
+ assertTrue(manager.getRole("test").checkPathPrivilege(path1, pri.ordinal()));
+ assertTrue(manager.getRole("test").checkPathPrivilege(path2, pri.ordinal()));
manager.getRole("test").removePathPrivilege(path1, pri.ordinal());
manager.getRole("test").removePathPrivilege(path2, pri.ordinal());
} else {
- Assert.isTrue(manager.getRole("test").checkSysPrivilege(pri.ordinal()));
+ assertTrue(manager.getRole("test").checkSysPrivilege(pri.ordinal()));
manager.getRole("test").removeSysPrivilege(pri.ordinal());
}
}
- Assert.isTrue(manager.getRole("test").getPathPrivilegeList().isEmpty());
- Assert.isTrue(manager.getRole("test").getSysPrivilege().isEmpty());
+ assertTrue(manager.getRole("test").getPathPrivilegeList().isEmpty());
+ assertTrue(manager.getRole("test").getSysPrivilege().isEmpty());
}
}
}
diff --git a/iotdb-core/metrics/interface/pom.xml b/iotdb-core/metrics/interface/pom.xml
index 3512c58..8dd39de 100644
--- a/iotdb-core/metrics/interface/pom.xml
+++ b/iotdb-core/metrics/interface/pom.xml
@@ -82,7 +82,6 @@
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-codec-http</artifactId>
- <version>4.1.119.Final</version>
</dependency>
<dependency>
<groupId>org.reactivestreams</groupId>
diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java
index 7bc7e7a..87c0e44 100644
--- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java
+++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java
@@ -194,11 +194,11 @@
private Claims validateToken(String token) {
return Jwts.parser()
// Basically ignore the Expiration Date, if there is any???
- .setAllowedClockSkewSeconds(Long.MAX_VALUE / 1000)
- // .setSigningKey(DatatypeConverter.parseBase64Binary(secret))
- .setSigningKey(providerKey)
- .parseClaimsJws(token)
- .getBody();
+ .clockSkewSeconds(Long.MAX_VALUE / 1000)
+ .verifyWith(providerKey)
+ .build()
+ .parseSignedClaims(token)
+ .getPayload();
}
private String getUsername(Claims claims) {
diff --git a/pom.xml b/pom.xml
index e4dd455..f6485d1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -60,6 +60,7 @@
<argLine/>
<awaitility.version>4.2.0</awaitility.version>
<boost.include.dir/>
+ <bouncycastle.version>1.81</bouncycastle.version>
<!-- This was the last version to support Java 8 -->
<caffeine.version>2.9.3</caffeine.version>
<cglib.version>3.3.0</cglib.version>
@@ -86,7 +87,7 @@
<fusesource-mqtt-client.version>1.16</fusesource-mqtt-client.version>
<!-- JDK1.8 only support google java format 1.7-->
<google.java.format.version>1.22.0</google.java.format.version>
- <gson.version>2.10.1</gson.version>
+ <gson.version>2.13.1</gson.version>
<guava.version>32.1.2-jre</guava.version>
<!-- This was the last version to support Java 8 -->
<h2.version>2.2.224</h2.version>
@@ -110,15 +111,15 @@
<jersey.version>2.40</jersey.version>
<!-- This was the last version to support Java 8 -->
<jetty.version>9.4.57.v20241219</jetty.version>
- <jjwt.version>0.11.5</jjwt.version>
+ <jjwt.version>0.12.7</jjwt.version>
<jline.version>3.26.2</jline.version>
<jna.version>5.14.0</jna.version>
<json-smart.version>2.5.2</json-smart.version>
<jtransforms.version>3.1</jtransforms.version>
<junit.version>4.13.2</junit.version>
<!-- This was the last version to support Java 8 -->
- <logback.version>1.3.15</logback.version>
- <lz4-java.version>1.8.0</lz4-java.version>
+ <logback.version>1.3.16</logback.version>
+ <lz4-java.version>1.10.1</lz4-java.version>
<maven.assembly.version>3.6.0</maven.assembly.version>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
@@ -129,8 +130,8 @@
<!-- This was the last version to support Java 8 -->
<!--mockito.version>4.11.0</mockito.version-->
<moquette.version>0.18.0</moquette.version>
- <netty.version>4.1.115.Final</netty.version>
- <nimbus-jose-jwt.version>9.37.3</nimbus-jose-jwt.version>
+ <netty.version>4.1.126.Final</netty.version>
+ <nimbus-jose-jwt.version>9.37.4</nimbus-jose-jwt.version>
<oauth2-oidc-sdk.version>10.15</oauth2-oidc-sdk.version>
<!-- This was the last version to support Java 8 -->
<openapi.generator.version>6.6.0</openapi.generator.version>
@@ -146,8 +147,8 @@
-->
<ratis.version>3.2.1</ratis.version>
<reactive-streams.version>1.0.4</reactive-streams.version>
- <reactor-netty.version>1.1.20</reactor-netty.version>
- <reactor.version>3.5.18</reactor.version>
+ <reactor-netty.version>1.2.9</reactor-netty.version>
+ <reactor.version>3.7.9</reactor.version>
<reflections.version>0.10.2</reflections.version>
<slf4j.version>2.0.9</slf4j.version>
<snappy-java.version>1.1.10.5</snappy-java.version>
@@ -175,7 +176,7 @@
<thrift.version>0.14.1</thrift.version>
<xz.version>1.9</xz.version>
<zstd-jni.version>1.5.6-3</zstd-jni.version>
- <tsfile.version>1.1.3-251028-SNAPSHOT</tsfile.version>
+ <tsfile.version>1.1.3-251212-SNAPSHOT</tsfile.version>
</properties>
<!--
if we claim dependencies in dependencyManagement, then we do not claim
@@ -311,7 +312,7 @@
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
- <version>1.78</version>
+ <version>${bouncycastle.version}</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
@@ -319,6 +320,11 @@
<version>${commons-io.version}</version>
</dependency>
<dependency>
+ <groupId>org.apache.tsfile</groupId>
+ <artifactId>tsfile</artifactId>
+ <version>${tsfile.version}</version>
+ </dependency>
+ <dependency>
<groupId>org.apache.ratis</groupId>
<artifactId>ratis-server</artifactId>
<version>${ratis.version}</version>
@@ -509,7 +515,7 @@
<version>${zstd-jni.version}</version>
</dependency>
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
<version>${lz4-java.version}</version>
</dependency>
