Thanks to visit codestin.com
Credit goes to github.com

Skip to content

security: fix some security vulnerabilities #5172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
slievrly merged 10 commits into from
Jan 17, 2023
Merged

security: fix some security vulnerabilities #5172

slievrly merged 10 commits into from
Jan 17, 2023

Conversation

@Bughue
Copy link
Contributor

@Bughue Bughue commented Dec 19, 2022
edited
Loading

  • I have registered the PR changes.

Ⅰ. Describe what this PR did

存在不少漏洞版本依赖,需要清除替换
https://mvnrepository.com/artifact/io.seata/seata-all/1.6.0

jackson-databind
版本:2.11.4>>2.13.4.1
CVE-2022-42004
CVE-2022-42003

protobuf-java
版本:3.11.4>>3.16.3
CVE-2022-3509
CVE-2022-3171

postgresql
版本:42.1.4>>42.3.3
CVE-2022-26520
CVE-2022-21724

spring-framework
版本:5.3.18>>5.3.20
CVE-2022-22971

nacos(暂未修改)
CVE-2021-43116
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43116

dubbo
版本:2.6.5>>2.6.10
CVE-2021-30179
CVE-2021-25640

guava
版本:27.0.1-jre>>30.1-jre
CVE-2020-8908

mysql-connector-java
版本:5.1.35>>5.1.42
CVE-2019-2692
CVE-2017-3589
CVE-2017-3523

Ⅱ. Does this pull request fix one issue?

fixes #5171

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

Ⅴ. Special notes for reviews

@funky-eyes funky-eyes added this to the 1.6.1 milestone Dec 19, 2022
@Bughue Bughue changed the title fix vulnerabilities from dependencies in 1.6.0 [WIP] fix vulnerabilities from dependencies in 1.6.0 Dec 19, 2022
@codecov-commenter
Copy link

codecov-commenter commented Dec 19, 2022
edited
Loading

Codecov Report

Merging #5172 (8da4ef7) into develop (a84bbcc) will increase coverage by 0.01%.
The diff coverage is n/a.

Impacted file tree graph

@@              Coverage Diff              @@
##             develop    #5172      +/-   ##
=============================================
+ Coverage      48.87%   48.88%   +0.01%     
- Complexity      4169     4172       +3     
=============================================
  Files            743      743              
  Lines          26521    26521              
  Branches        3294     3294              
=============================================
+ Hits           12963    12966       +3     
+ Misses         12158    12152       -6     
- Partials        1400     1403       +3
Impacted Files Coverage Δ
...torage/file/store/FileTransactionStoreManager.java 56.27% <0.00%> (-0.65%) ⬇️
...erver/storage/file/session/FileSessionManager.java 47.77% <0.00%> (-0.64%) ⬇️
...rage/redis/store/RedisTransactionStoreManager.java 75.19% <0.00%> (+0.26%) ⬆️
...in/java/io/seata/server/session/GlobalSession.java 82.17% <0.00%> (+1.55%) ⬆️
...o/seata/server/session/SessionStatusValidator.java 61.53% <0.00%> (+7.69%) ⬆️

slievrly
slievrly reviewed Dec 20, 2022
View reviewed changes
slievrly
slievrly reviewed Dec 20, 2022
View reviewed changes
@slievrly slievrly removed this from the 1.6.1 milestone Dec 21, 2022
@Bughue Bughue changed the title [WIP] fix vulnerabilities from dependencies in 1.6.0 fix vulnerabilities from dependencies in 1.6.0 Dec 28, 2022
@Bughue Bughue changed the title fix vulnerabilities from dependencies in 1.6.0 optimize : fix vulnerabilities from dependencies in 1.6.0 Dec 29, 2022
@Bughue Bughue changed the title optimize : fix vulnerabilities from dependencies in 1.6.0 optimized : fix vulnerabilities from dependencies in 1.6.0 Dec 29, 2022
@Bughue Bughue changed the title optimized : fix vulnerabilities from dependencies in 1.6.0 optimize : fix vulnerabilities from dependencies in 1.6.0 Dec 29, 2022
funky-eyes
funky-eyes approved these changes Jan 17, 2023
View reviewed changes
Copy link
Contributor

@funky-eyes funky-eyes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

slievrly
slievrly reviewed Jan 17, 2023
View reviewed changes
@slievrly slievrly changed the title optimize : fix vulnerabilities from dependencies in 1.6.0 security: fix some security vulnerabilities Jan 17, 2023
wangliang181230
wangliang181230 approved these changes Jan 17, 2023
View reviewed changes
Copy link
Contributor

@wangliang181230 wangliang181230 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
change.md加下。

@Bughue
Copy link
Contributor Author

Bughue commented Jan 17, 2023

LGTM change.md加下。

done

slievrly
slievrly approved these changes Jan 17, 2023
View reviewed changes
Copy link
Member

@slievrly slievrly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@slievrly slievrly merged commit 24ccd99 into apache:develop Jan 17, 2023
@wangliang181230 wangliang181230 added this to the 1.7.0 milestone Feb 7, 2023
@slievrly slievrly mentioned this pull request Feb 22, 2023
Merged
1 task
YvCeung pushed a commit to YvCeung/incubator-seata that referenced this pull request Dec 25, 2025
@Bughue
security: fix some security vulnerabilities (apache#5172)
e9e5cd6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wangliang181230 wangliang181230 wangliang181230 approved these changes

@slievrly slievrly slievrly approved these changes

@funky-eyes funky-eyes funky-eyes approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.7.0

Development

Successfully merging this pull request may close these issues.

Vulnerabilities from dependencies in 1.6.0

5 participants

@Bughue @codecov-commenter @wangliang181230 @slievrly @funky-eyes