From 6c2fc0951d8eb515fcb7b0a1520e8e624b2d0996 Mon Sep 17 00:00:00 2001 From: Lari Hotari Date: Mon, 11 May 2026 13:41:21 +0300 Subject: [PATCH] Upgrade thrift to 0.23.0 to address CVE-2026-43869 --- .../src/main/resources/LICENSE-all.bin.txt | 4 ++-- .../src/main/resources/LICENSE-bkctl.bin.txt | 4 ++-- .../src/main/resources/LICENSE-server.bin.txt | 4 ++-- pom.xml | 23 ++++++++++++++++++- 4 files changed, 28 insertions(+), 7 deletions(-) diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt index 89bb911b7b5..aa44b95635b 100644 --- a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt +++ b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt @@ -299,7 +299,7 @@ Apache Software License, Version 2. - lib/org.jctools-jctools-core-jdk11-4.0.6.jar [38] - lib/org.apache.httpcomponents-httpclient-4.5.13.jar [39] - lib/org.apache.httpcomponents-httpcore-4.4.15.jar [40] -- lib/org.apache.thrift-libthrift-0.14.2.jar [41] +- lib/org.apache.thrift-libthrift-0.23.0.jar [41] - lib/com.google.android-annotations-4.1.1.4.jar [42] - lib/com.google.j2objc-j2objc-annotations-2.8.jar [45] - lib/io.dropwizard.metrics-metrics-core-4.1.12.1.jar [47] @@ -377,7 +377,7 @@ Apache Software License, Version 2. [38] Source available at https://github.com/JCTools/JCTools/tree/v4.0.5 [39] Source available at https://github.com/apache/httpcomponents-client/tree/rel/v4.5.13 [40] Source available at https://github.com/apache/httpcomponents-core/tree/rel/v4.4.15 -[41] Source available at https://github.com/apache/thrift/tree/0.14.2 +[41] Source available at https://github.com/apache/thrift/tree/0.23.0 [42] Source available at https://source.android.com/ [45] Source available at https://github.com/google/j2objc/releases/tag/1.3 [47] Source available at https://github.com/dropwizard/metrics/releases/tag/v4.1.12.1 diff --git a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt index b0cd6d1bfbd..4ddbf2f3a00 100644 --- a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt +++ b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt @@ -266,7 +266,7 @@ Apache Software License, Version 2. - lib/org.jctools-jctools-core-jdk11-4.0.6.jar [37] - lib/org.apache.httpcomponents-httpclient-4.5.13.jar [38] - lib/org.apache.httpcomponents-httpcore-4.4.15.jar [39] -- lib/org.apache.thrift-libthrift-0.14.2.jar [40] +- lib/org.apache.thrift-libthrift-0.23.0.jar [40] - lib/com.google.android-annotations-4.1.1.4.jar [41] - lib/com.google.j2objc-j2objc-annotations-2.8.jar [44] - lib/io.dropwizard.metrics-metrics-core-4.1.12.1.jar [46] @@ -301,7 +301,7 @@ Apache Software License, Version 2. [37] Source available at https://github.com/JCTools/JCTools/tree/v4.0.5 [38] Source available at https://github.com/apache/httpcomponents-client/tree/rel/v4.5.13 [39] Source available at https://github.com/apache/httpcomponents-core/tree/rel/v4.4.15 -[40] Source available at https://github.com/apache/thrift/tree/0.14.2 +[40] Source available at https://github.com/apache/thrift/tree/0.23.0 [41] Source available at https://source.android.com/ [44] Source available at https://github.com/google/j2objc/releases/tag/1.3 [46] Source available at https://github.com/dropwizard/metrics/releases/tag/v4.1.12.1 diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt index da3d3aa7a30..6a38596e8d7 100644 --- a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt +++ b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt @@ -299,7 +299,7 @@ Apache Software License, Version 2. - lib/org.jctools-jctools-core-jdk11-4.0.6.jar [38] - lib/org.apache.httpcomponents-httpclient-4.5.13.jar [39] - lib/org.apache.httpcomponents-httpcore-4.4.15.jar [40] -- lib/org.apache.thrift-libthrift-0.14.2.jar [41] +- lib/org.apache.thrift-libthrift-0.23.0.jar [41] - lib/com.google.android-annotations-4.1.1.4.jar [42] - lib/com.google.j2objc-j2objc-annotations-2.8.jar [45] - lib/io.dropwizard.metrics-metrics-core-4.1.12.1.jar [47] @@ -374,7 +374,7 @@ Apache Software License, Version 2. [38] Source available at https://github.com/JCTools/JCTools/tree/v4.0.5 [39] Source available at https://github.com/apache/httpcomponents-client/tree/rel/v4.5.13 [40] Source available at https://github.com/apache/httpcomponents-core/tree/rel/v4.4.15 -[41] Source available at https://github.com/apache/thrift/tree/0.14.2 +[41] Source available at https://github.com/apache/thrift/tree/0.23.0 [42] Source available at https://source.android.com/ [45] Source available at https://github.com/google/j2objc/releases/tag/1.3 [47] Source available at https://github.com/dropwizard/metrics/releases/tag/v4.1.12.1 diff --git a/pom.xml b/pom.xml index 72e29bb5095..80b8c61cd7b 100644 --- a/pom.xml +++ b/pom.xml @@ -174,7 +174,7 @@ 5.10.2 3.27.7 4.2.0 - 0.14.2 + 0.23.0 1.18.42 2.23.1 1.10.2 @@ -415,6 +415,7 @@ libthrift ${libthrift.version} + org.apache.tomcat.embed tomcat-embed-core @@ -423,6 +424,26 @@ javax.annotation javax.annotation-api + + jakarta.annotation + jakarta.annotation-api + + + jakarta.servlet + jakarta.servlet-api + + + org.apache.httpcomponents.client5 + httpclient5 + + + org.apache.httpcomponents.core5 + httpcore5 + + + org.apache.httpcomponents.core5 + httpcore5-h2 +