dendi-wang/thingsboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #13577 from smatvienko-tb/rc-4.0.2-CVT-fixes

Browse Source 
CVE-2025-49146 postgresql.driver CVE-2025-27817 kafka client
This commit is contained in:
Viacheslav Klimov 2025-06-13 17:39:18 +03:00 committed by GitHub
commit bd94d6aa4c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
application/src/main/java/org/apache/kafka/common/network/NetworkReceive.java
View File

@ -103,13 +103,13 @@ public class NetworkReceive implements Receive {
if (maxSize != UNLIMITED && receiveSize > maxSize) { if (maxSize != UNLIMITED && receiveSize > maxSize) {
throw new ThingsboardKafkaClientError("Invalid receive (size = " + receiveSize + " larger than " + maxSize + ")"); throw new ThingsboardKafkaClientError("Invalid receive (size = " + receiveSize + " larger than " + maxSize + ")");
} }
requestedBufferSize = receiveSize; //may be 0 for some payloads (SASL) requestedBufferSize = receiveSize; // may be 0 for some payloads (SASL)
if (receiveSize == 0) { if (receiveSize == 0) {
buffer = EMPTY_BUFFER; buffer = EMPTY_BUFFER;
} }
} }
} }
if (buffer == null && requestedBufferSize != -1) { //we know the size we want but havent been able to allocate it yet if (buffer == null && requestedBufferSize != -1) { // we know the size we want but haven't been able to allocate it yet
if (requestedBufferSize > TB_LOG_REQUESTED_BUFFER_SIZE) { if (requestedBufferSize > TB_LOG_REQUESTED_BUFFER_SIZE) {
String stackTrace = Arrays.stream(Thread.currentThread().getStackTrace()).map(StackTraceElement::toString).collect(Collectors.joining("|")); String stackTrace = Arrays.stream(Thread.currentThread().getStackTrace()).map(StackTraceElement::toString).collect(Collectors.joining("|"));
log.error("Allocating buffer of size {} for source {}", requestedBufferSize, source); log.error("Allocating buffer of size {} for source {}", requestedBufferSize, source);

22
pom.xml
View File

@ -42,19 +42,19 @@
<jakarta.xml.bind-api.version>4.0.2</jakarta.xml.bind-api.version> <jakarta.xml.bind-api.version>4.0.2</jakarta.xml.bind-api.version>
<javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version> <javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version>
<jaxb-runtime.version>4.0.5</jaxb-runtime.version> <jaxb-runtime.version>4.0.5</jaxb-runtime.version>
<tomcat.version>10.1.40</tomcat.version> <!-- Vulnerability fix, Remove after update spring-boot to new version--> <tomcat.version>10.1.42</tomcat.version> <!-- Vulnerability fix, Remove after update spring-boot to new version-->
<net.minidev.json-smart>2.5.2</net.minidev.json-smart> <!-- Vulnerability fix, CVE-2024-57699, Remove after update spring-boot 3.2.12 to a newer version--> <net.minidev.json-smart>2.5.2</net.minidev.json-smart> <!-- Vulnerability fix, CVE-2024-57699, Remove after update spring-boot 3.2.12 to a newer version-->
<spring-boot.version>3.2.12</spring-boot.version> <spring-boot.version>3.2.12</spring-boot.version>
<spring-data.version>3.2.12</spring-data.version> <spring-data.version>3.2.12</spring-data.version>
<spring-data-redis.version>3.2.12</spring-data-redis.version> <spring-data-redis.version>3.2.12</spring-data-redis.version>
<spring.version>6.1.15</spring.version> <spring.version>6.1.21</spring.version>
<spring-redis.version>6.2.11</spring-redis.version> <spring-redis.version>6.2.11</spring-redis.version>
<spring-security.version>6.3.8</spring-security.version> <spring-security.version>6.3.9</spring-security.version>
<jedis.version>5.1.5</jedis.version> <jedis.version>5.1.5</jedis.version>
<jjwt.version>0.12.5</jjwt.version> <jjwt.version>0.12.5</jjwt.version>
<slf4j.version>2.0.13</slf4j.version> <slf4j.version>2.0.17</slf4j.version>
<log4j.version>2.23.1</log4j.version> <log4j.version>2.24.3</log4j.version>
<logback.version>1.5.5</logback.version> <logback.version>1.5.18</logback.version>
<rat.version>0.10</rat.version> <!-- unused --> <rat.version>0.10</rat.version> <!-- unused -->
<cassandra.version>4.17.0</cassandra.version> <cassandra.version>4.17.0</cassandra.version>
<metrics.version>4.2.25</metrics.version> <metrics.version>4.2.25</metrics.version>
@ -83,7 +83,7 @@
<freemarker.version>2.3.32</freemarker.version> <freemarker.version>2.3.32</freemarker.version>
<mail.version>2.0.1</mail.version> <mail.version>2.0.1</mail.version>
<curator.version>5.6.0</curator.version> <curator.version>5.6.0</curator.version>
<zookeeper.version>3.9.2</zookeeper.version> <zookeeper.version>3.9.3</zookeeper.version>
<protobuf.version>3.25.5</protobuf.version> <!-- A Major v4 does not support by the pubsub yet--> <protobuf.version>3.25.5</protobuf.version> <!-- A Major v4 does not support by the pubsub yet-->
<grpc.version>1.63.0</grpc.version> <grpc.version>1.63.0</grpc.version>
<tbel.version>1.2.6</tbel.version> <tbel.version>1.2.6</tbel.version>
@ -103,7 +103,7 @@
<jts.version>1.19.0</jts.version> <jts.version>1.19.0</jts.version>
<bouncycastle.version>1.78.1</bouncycastle.version> <bouncycastle.version>1.78.1</bouncycastle.version>
<winsw.version>2.0.1</winsw.version> <winsw.version>2.0.1</winsw.version>
<postgresql.driver.version>42.7.5</postgresql.driver.version> <postgresql.driver.version>42.7.7</postgresql.driver.version>
<sonar.exclusions>org/thingsboard/server/gen/**/*, <sonar.exclusions>org/thingsboard/server/gen/**/*,
org/thingsboard/server/extensions/core/plugin/telemetry/gen/**/* org/thingsboard/server/extensions/core/plugin/telemetry/gen/**/*
</sonar.exclusions> </sonar.exclusions>
@ -113,7 +113,7 @@
<!-- IMPORTANT: If you change the version of the kafka client, make sure to synchronize our overwritten implementation of the <!-- IMPORTANT: If you change the version of the kafka client, make sure to synchronize our overwritten implementation of the
org.apache.kafka.common.network.NetworkReceive class in the application module. It addresses the issue https://issues.apache.org/jira/browse/KAFKA-4090. org.apache.kafka.common.network.NetworkReceive class in the application module. It addresses the issue https://issues.apache.org/jira/browse/KAFKA-4090.
Here is the source to track https://github.com/apache/kafka/tree/trunk/clients/src/main/java/org/apache/kafka/common/network --> Here is the source to track https://github.com/apache/kafka/tree/trunk/clients/src/main/java/org/apache/kafka/common/network -->
<kafka.version>3.7.2</kafka.version> <kafka.version>3.9.1</kafka.version>
<bucket4j.version>8.10.1</bucket4j.version> <bucket4j.version>8.10.1</bucket4j.version>
<antlr.version>3.5.3</antlr.version> <antlr.version>3.5.3</antlr.version>
<snakeyaml.version>2.2</snakeyaml.version> <snakeyaml.version>2.2</snakeyaml.version>
@ -158,7 +158,7 @@
<allure-maven.version>2.12.0</allure-maven.version> <allure-maven.version>2.12.0</allure-maven.version>
<opensmpp.version>3.0.2</opensmpp.version> <opensmpp.version>3.0.2</opensmpp.version>
<jgit.version>6.9.0.202403050737-r</jgit.version> <jgit.version>6.10.1.202505221210-r</jgit.version>
<exp4j.version>0.4.8</exp4j.version> <exp4j.version>0.4.8</exp4j.version>
<aerogear-otp.version>1.0.0</aerogear-otp.version> <aerogear-otp.version>1.0.0</aerogear-otp.version>
@ -1173,7 +1173,7 @@
<!-- ...Vulnerability fix - transitive dependency from Spring Boot, remove after Spring Boot upgrade --> <!-- ...Vulnerability fix - transitive dependency from Spring Boot, remove after Spring Boot upgrade -->
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId> <artifactId>spring-boot-starter</artifactId>
<version>${spring-boot.version}</version> <version>${spring-boot.version}</version>
</dependency> </dependency>
<dependency> <dependency>