[Enhancement] Fix broker CVEs (#57620)

Signed-off-by: wyb <wybb86@gmail.com>
2025-04-03 16:20:56 +08:00 · 2025-04-03 16:20:56 +08:00 · 707c441bd3
parent c05b058f03
commit 707c441bd3
2 changed files with 27 additions and 1 deletions
--- a/fs_brokers/apache_hdfs_broker/src/broker-core/pom.xml
+++ b/fs_brokers/apache_hdfs_broker/src/broker-core/pom.xml
@ -133,6 +133,12 @@ under the License.
        <dependency>
            <groupId>org.apache.hadoop</groupId>
            <artifactId>hadoop-common</artifactId>
+            <exclusions>
+                <exclusion>
+                    <artifactId>avro</artifactId>
+                    <groupId>org.apache.avro</groupId>
+                </exclusion>
+            </exclusions>
        </dependency>

        <dependency>
@ -158,6 +164,12 @@ under the License.
            <artifactId>jackson-databind</artifactId>
        </dependency>

+        <!-- https://mvnrepository.com/artifact/org.apache.avro/avro/ -->
+        <dependency>
+            <groupId>org.apache.avro</groupId>
+            <artifactId>avro</artifactId>
+        </dependency>
+
        <!-- https://mvnrepository.com/artifact/junit/junit -->
        <dependency>
            <groupId>junit</groupId>
--- a/fs_brokers/apache_hdfs_broker/src/pom.xml
+++ b/fs_brokers/apache_hdfs_broker/src/pom.xml
@ -42,12 +42,13 @@ under the License.
        <maven.compiler.target>1.8</maven.compiler.target>
        <hadoop.version>3.4.0</hadoop.version>
        <guava.version>32.0.1-jre</guava.version>
-        <zookeeper.version>3.9.2</zookeeper.version>
+        <zookeeper.version>3.9.3</zookeeper.version>
        <protobuf.version>3.16.3</protobuf.version>
        <thrift.version>0.14.1</thrift.version>
        <tomcat.version>9.0.90</tomcat.version>
        <log4j.version>2.17.1</log4j.version>
        <jackson.version>2.13.4.2</jackson.version>
+        <avro.version>1.11.4</avro.version>
    </properties>

    <profiles>
@ -227,6 +228,12 @@ under the License.
                <groupId>org.apache.hadoop</groupId>
                <artifactId>hadoop-common</artifactId>
                <version>${hadoop.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <artifactId>avro</artifactId>
+                        <groupId>org.apache.avro</groupId>
+                    </exclusion>
+                </exclusions>
            </dependency>

            <dependency>
@ -262,6 +269,13 @@ under the License.
                <version>${jackson.version}</version>
            </dependency>

+            <!-- https://mvnrepository.com/artifact/org.apache.avro/avro/ -->
+            <dependency>
+                <groupId>org.apache.avro</groupId>
+                <artifactId>avro</artifactId>
+                <version>${avro.version}</version>
+            </dependency>
+
            <!-- https://mvnrepository.com/artifact/junit/junit -->
            <dependency>
                <groupId>junit</groupId>