This is an automated email from the ASF dual-hosted git repository.
xqhu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/beam.git
The following commit(s) were added to refs/heads/master by this push:
new becfcf86ab6 Fix CVE-2025-48734, CVE-2024-13009 (#36106)
becfcf86ab6 is described below
commit becfcf86ab6f5c2f24986915fd0dfbbfd19de532
Author: Radosław Stankiewicz <[email protected]>
AuthorDate: Wed Sep 10 17:53:51 2025 +0200
Fix CVE-2025-48734, CVE-2024-13009 (#36106)
* update dependencies due to CVE-2024-13009 and CVE-2025-24970
* update dependency due to transitive dependency with CVE-2025-48734
* outstanding netty dependency.
* fix netty's CVE-2025-55163
* Revert "fix netty's CVE-2025-55163"
This reverts commit 874a77c9e5949bef9dd72ecc90ff8a6af749e0f9.
* revert netty
---
.../src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy | 2 +-
runners/google-cloud-dataflow-java/worker/build.gradle | 6 +++---
sdks/java/extensions/sql/hcatalog/build.gradle | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git
a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
index d7ae0f60c2d..103405a5793 100644
--- a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
+++ b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
@@ -617,7 +617,7 @@ class BeamModulePlugin implements Plugin<Project> {
// [bomupgrader] determined by: io.grpc:grpc-netty, consistent with:
google_cloud_platform_libraries_bom
def grpc_version = "1.71.0"
def guava_version = "33.1.0-jre"
- def hadoop_version = "3.4.1"
+ def hadoop_version = "3.4.2"
def hamcrest_version = "2.1"
def influxdb_version = "2.19"
def httpclient_version = "4.5.13"
diff --git a/runners/google-cloud-dataflow-java/worker/build.gradle
b/runners/google-cloud-dataflow-java/worker/build.gradle
index fe7e3b93dd0..4068c5f88e4 100644
--- a/runners/google-cloud-dataflow-java/worker/build.gradle
+++ b/runners/google-cloud-dataflow-java/worker/build.gradle
@@ -131,7 +131,7 @@ applyJavaNature(
dependencies {
// We have to include jetty-server/jetty-servlet and all of
its transitive dependencies
// which includes several org.eclipse.jetty artifacts +
servlet-api
- include(dependency("org.eclipse.jetty:.*:9.4.54.v20240208"))
+ include(dependency("org.eclipse.jetty:.*:9.4.57.v20241219"))
include(dependency("javax.servlet:javax.servlet-api:3.1.0"))
}
relocate("org.eclipse.jetty",
getWorkerRelocatedPath("org.eclipse.jetty"))
@@ -200,8 +200,8 @@ dependencies {
compileOnly "org.conscrypt:conscrypt-openjdk-uber:2.5.1"
implementation "javax.servlet:javax.servlet-api:3.1.0"
- implementation "org.eclipse.jetty:jetty-server:9.4.54.v20240208"
- implementation "org.eclipse.jetty:jetty-servlet:9.4.54.v20240208"
+ implementation "org.eclipse.jetty:jetty-server:9.4.57.v20241219"
+ implementation "org.eclipse.jetty:jetty-servlet:9.4.57.v20241219"
implementation library.java.avro
implementation library.java.jackson_annotations
implementation library.java.jackson_core
diff --git a/sdks/java/extensions/sql/hcatalog/build.gradle
b/sdks/java/extensions/sql/hcatalog/build.gradle
index e8abf21b7c3..0a267a6f424 100644
--- a/sdks/java/extensions/sql/hcatalog/build.gradle
+++ b/sdks/java/extensions/sql/hcatalog/build.gradle
@@ -26,7 +26,7 @@ applyJavaNature(
)
def hive_version = "3.1.3"
-def netty_version = "4.1.51.Final"
+def netty_version = "4.1.110.Final"
/*
* We need to rely on manually specifying these evaluationDependsOn to ensure
that
