Upgrade snappy-java to address multiple CVEs (#3993)

Address multiple CVEs: CVE-2023-34453 CVE-2023-34454 CVE-2023-34455 See https://github.com/xerial/snappy-java/releases/tag/v1.1.10.1 (cherry picked from commit 5ca8d83)
apache · Dec 7, 2023 · 18a9ec5 · 18a9ec5
1 parent bcd7f67
commit 18a9ec5
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 7 deletions.
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
@@ -311,7 +311,7 @@ Apache Software License, Version 2.
 - lib/io.dropwizard.metrics-metrics-jvm-4.1.12.1.jar [47]
 - lib/io.perfmark-perfmark-api-0.25.0.jar [48]
 - lib/org.conscrypt-conscrypt-openjdk-uber-2.5.2.jar [49]
-- lib/org.xerial.snappy-snappy-java-1.1.7.7.jar [50]
+- lib/org.xerial.snappy-snappy-java-1.1.10.1.jar [50]
 - lib/io.reactivex.rxjava3-rxjava-3.0.1.jar [51]
 - lib/org.hdrhistogram-HdrHistogram-2.1.10.jar [52]
 
@@ -361,7 +361,7 @@ Apache Software License, Version 2.
 [47] Source available at https://github.com/dropwizard/metrics/releases/tag/v4.1.12.1
 [48] Source available at https://github.com/perfmark/perfmark/releases/tag/v0.26.0
 [49] Source available at https://github.com/google/conscrypt/releases/tag/2.5.2
-[50] Source available at https://github.com/google/snappy/releases/tag/1.1.7.7
+[50] Source available at https://github.com/xerial/snappy-java/releases/tag/v1.1.10.1
 [51] Source available at https://github.com/ReactiveX/RxJava/tree/v3.0.1
 [52] Source available at https://github.com/HdrHistogram/HdrHistogram/tree/HdrHistogram-2.1.10
 

diff --git a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
@@ -287,7 +287,7 @@ Apache Software License, Version 2.
 - lib/io.dropwizard.metrics-metrics-core-4.1.12.1.jar [46]
 - lib/io.perfmark-perfmark-api-0.25.0.jar [47]
 - lib/org.conscrypt-conscrypt-openjdk-uber-2.5.2.jar [49]
-- lib/org.xerial.snappy-snappy-java-1.1.7.7.jar [50]
+- lib/org.xerial.snappy-snappy-java-1.1.10.1.jar [50]
 - lib/io.reactivex.rxjava3-rxjava-3.0.1.jar [51]
 
 [1] Source available at https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.13.4
@@ -328,7 +328,7 @@ Apache Software License, Version 2.
 [46] Source available at https://github.com/dropwizard/metrics/releases/tag/v4.1.12.1
 [47] Source available at https://github.com/perfmark/perfmark/releases/tag/v0.26.0
 [49] Source available at https://github.com/google/conscrypt/releases/tag/2.5.2
-[50] Source available at https://github.com/google/snappy/releases/tag/1.1.7.7
+[50] Source available at https://github.com/xerial/snappy-java/releases/tag/v1.1.10.1
 [51] Source available at https://github.com/ReactiveX/RxJava/tree/v3.0.1
 
 ------------------------------------------------------------------------------------

diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
@@ -308,7 +308,7 @@ Apache Software License, Version 2.
 - lib/io.dropwizard.metrics-metrics-core-4.1.12.1.jar [47]
 - lib/io.perfmark-perfmark-api-0.25.0.jar [48]
 - lib/org.conscrypt-conscrypt-openjdk-uber-2.5.2.jar [49]
-- lib/org.xerial.snappy-snappy-java-1.1.7.7.jar [50]
+- lib/org.xerial.snappy-snappy-java-1.1.10.1.jar [50]
 - lib/io.reactivex.rxjava3-rxjava-3.0.1.jar [51]
 
 [1] Source available at https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.13.4
@@ -357,7 +357,7 @@ Apache Software License, Version 2.
 [47] Source available at https://github.com/dropwizard/metrics/releases/tag/v4.1.12.1
 [48] Source available at https://github.com/perfmark/perfmark/releases/tag/v0.26.0
 [49] Source available at https://github.com/google/conscrypt/releases/tag/2.5.2
-[50] Source available at https://github.com/google/snappy/releases/tag/1.1.7.7
+[50] Source available at https://github.com/xerial/snappy-java/releases/tag/v1.1.10.1
 [51] Source available at https://github.com/ReactiveX/RxJava/tree/v3.0.1
 
 ------------------------------------------------------------------------------------

diff --git a/pom.xml b/pom.xml
@@ -177,7 +177,7 @@
     <testcontainers.version>1.15.1</testcontainers.version>
     <vertx.version>3.9.8</vertx.version>
     <zookeeper.version>3.8.0</zookeeper.version>
-    <snappy.version>1.1.7.7</snappy.version>
+    <snappy.version>1.1.10.1</snappy.version>
     <jctools.version>2.1.2</jctools.version>
     <!-- plugin dependencies -->
     <apache-rat-plugin.version>0.12</apache-rat-plugin.version>