From 70f3faf8cdbf446cf07750a7fbc3702c53adaaae Mon Sep 17 00:00:00 2001
From: Martijn Visser <mvisser@confluent.io>
Date: Wed, 11 Oct 2023 11:48:50 +0200
Subject: [PATCH 1/2] [FLINK-33238][Formats/Avro] Upgrade used AVRO version to
 1.11.3 to mitigate scanners flagging Flink or the Flink Kafka connector as
 vulnerable for CVE-2023-39410

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 607916de5..cf97f1239 100644
--- a/pom.xml
+++ b/pom.xml
@@ -68,7 +68,7 @@ under the License.
         <scala-reflect.version>2.12.7</scala-reflect.version>
         <scala-library.version>2.12.7</scala-library.version>
         <snappy-java.version>1.1.10.5</snappy-java.version>
-        <avro.version>1.11.1</avro.version>
+        <avro.version>1.11.3</avro.version>
 
         <japicmp.skip>false</japicmp.skip>
         <japicmp.referenceVersion>1.17.0</japicmp.referenceVersion>

From 700273216cdea06e5374b967f6e2e52c3e33cf9c Mon Sep 17 00:00:00 2001
From: Martijn Visser <martijnvisser@apache.org>
Date: Wed, 11 Oct 2023 20:41:55 +0200
Subject: [PATCH 2/2] [FLINK-33238][Formats/Avro] Pin transitive dependency
 org.apache.commons:commons-compress to 1.22 to address dependency convergence

---
 pom.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pom.xml b/pom.xml
index cf97f1239..ff8efac36 100644
--- a/pom.xml
+++ b/pom.xml
@@ -405,6 +405,13 @@ under the License.
                 <version>2.1</version>
             </dependency>
 
+            <!-- For dependency convergence -->
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-compress</artifactId>
+                <version>1.22</version>
+            </dependency>
+
             <dependency>
                 <groupId>org.testcontainers</groupId>
                 <artifactId>testcontainers-bom</artifactId>