From f5222d6b1f64d14029f8fef3e0108cf74ffefded Mon Sep 17 00:00:00 2001
From: tison <wander4096@gmail.com>
Date: Tue, 17 Oct 2023 09:38:02 +0800
Subject: [PATCH] [fix][sec] Bump avro version to 1.11.3 for CVE-2023-39410
 (#21341)

Signed-off-by: tison <wander4096@gmail.com>
---
 distribution/server/src/assemble/LICENSE.bin.txt            | 4 ++--
 distribution/shell/src/assemble/LICENSE.bin.txt             | 4 ++--
 pom.xml                                                     | 2 +-
 .../schema/compatibility/SchemaCompatibilityCheckTest.java  | 2 +-
 .../pulsar/client/impl/schema/ProtobufSchemaTest.java       | 6 +++---
 pulsar-io/kafka-connect-adaptor/pom.xml                     | 6 ++++++
 pulsar-sql/presto-distribution/LICENSE                      | 4 ++--
 7 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
index 42033316b717f..dcad8e9bb78f9 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -447,8 +447,8 @@ The Apache Software License, Version 2.0
     - net.jodah-typetools-0.5.0.jar
     - net.jodah-failsafe-2.4.4.jar
   * Apache Avro
-    - org.apache.avro-avro-1.10.2.jar
-    - org.apache.avro-avro-protobuf-1.10.2.jar
+    - org.apache.avro-avro-1.11.3.jar
+    - org.apache.avro-avro-protobuf-1.11.3.jar
   * Apache Curator
     - org.apache.curator-curator-client-5.1.0.jar
     - org.apache.curator-curator-framework-5.1.0.jar
diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt b/distribution/shell/src/assemble/LICENSE.bin.txt
index 9db4713f8e4da..8a8f47350409c 100644
--- a/distribution/shell/src/assemble/LICENSE.bin.txt
+++ b/distribution/shell/src/assemble/LICENSE.bin.txt
@@ -407,8 +407,8 @@ The Apache Software License, Version 2.0
  * Google Error Prone Annotations - error_prone_annotations-2.5.1.jar
  * Javassist -- javassist-3.25.0-GA.jar
   * Apache Avro
-    - avro-1.10.2.jar
-    - avro-protobuf-1.10.2.jar
+    - avro-1.11.3.jar
+    - avro-protobuf-1.11.3.jar
 
 BSD 3-clause "New" or "Revised" License
  * JSR305 -- jsr305-3.0.2.jar -- ../licenses/LICENSE-JSR305.txt
diff --git a/pom.xml b/pom.xml
index 9b7e256addfa4..2ac82aaee7618 100644
--- a/pom.xml
+++ b/pom.xml
@@ -177,7 +177,7 @@ flexible messaging model and an intuitive client API.</description>
     <kafka-client.version>3.4.0</kafka-client.version>
     <rabbitmq-client.version>5.5.3</rabbitmq-client.version>
     <aws-sdk.version>1.12.262</aws-sdk.version>
-    <avro.version>1.10.2</avro.version>
+    <avro.version>1.11.3</avro.version>
     <joda.version>2.10.10</joda.version>
     <jclouds.version>2.5.0</jclouds.version>
     <guice.version>5.1.0</guice.version>
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/schema/compatibility/SchemaCompatibilityCheckTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/schema/compatibility/SchemaCompatibilityCheckTest.java
index 140dea9e7ebc7..49517a424b936 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/schema/compatibility/SchemaCompatibilityCheckTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/schema/compatibility/SchemaCompatibilityCheckTest.java
@@ -407,7 +407,7 @@ public void testSchemaComparison() throws Exception {
         assertEquals(admin.namespaces().getSchemaCompatibilityStrategy(namespaceName.toString()),
                 SchemaCompatibilityStrategy.UNDEFINED);
         byte[] changeSchemaBytes = (new String(Schema.AVRO(Schemas.PersonOne.class)
-                .getSchemaInfo().getSchema(), UTF_8) + "/n   /n   /n").getBytes();
+                .getSchemaInfo().getSchema(), UTF_8) + "\n   \n   \n").getBytes();
         SchemaInfo schemaInfo = SchemaInfo.builder().type(SchemaType.AVRO).schema(changeSchemaBytes).build();
         admin.schemas().createSchema(fqtn, schemaInfo);
 
diff --git a/pulsar-client/src/test/java/org/apache/pulsar/client/impl/schema/ProtobufSchemaTest.java b/pulsar-client/src/test/java/org/apache/pulsar/client/impl/schema/ProtobufSchemaTest.java
index 3fcd6f12b982d..85012276d5af1 100644
--- a/pulsar-client/src/test/java/org/apache/pulsar/client/impl/schema/ProtobufSchemaTest.java
+++ b/pulsar-client/src/test/java/org/apache/pulsar/client/impl/schema/ProtobufSchemaTest.java
@@ -41,20 +41,20 @@ public class ProtobufSchemaTest {
             "\"namespace\":\"org.apache.pulsar.client.schema.proto.Test\"," +
             "\"fields\":[{\"name\":\"stringField\",\"type\":{\"type\":\"string\"," +
             "\"avro.java.string\":\"String\"},\"default\":\"\"},{\"name\":\"doubleField\"," +
-            "\"type\":\"double\",\"default\":0},{\"name\":\"intField\",\"type\":\"int\"," +
+            "\"type\":\"double\",\"default\":0.0},{\"name\":\"intField\",\"type\":\"int\"," +
             "\"default\":0},{\"name\":\"testEnum\",\"type\":{\"type\":\"enum\"," +
             "\"name\":\"TestEnum\",\"symbols\":[\"SHARED\",\"FAILOVER\"]}," +
             "\"default\":\"SHARED\"},{\"name\":\"nestedField\"," +
             "\"type\":[\"null\",{\"type\":\"record\",\"name\":\"SubMessage\"," +
             "\"fields\":[{\"name\":\"foo\",\"type\":{\"type\":\"string\"," +
             "\"avro.java.string\":\"String\"},\"default\":\"\"}" +
-            ",{\"name\":\"bar\",\"type\":\"double\",\"default\":0}]}]" +
+            ",{\"name\":\"bar\",\"type\":\"double\",\"default\":0.0}]}]" +
             ",\"default\":null},{\"name\":\"repeatedField\",\"type\":{\"type\":\"array\"" +
             ",\"items\":{\"type\":\"string\",\"avro.java.string\":\"String\"}},\"default\":[]}" +
             ",{\"name\":\"externalMessage\",\"type\":[\"null\",{\"type\":\"record\"" +
             ",\"name\":\"ExternalMessage\",\"namespace\":\"org.apache.pulsar.client.schema.proto.ExternalTest\"" +
             ",\"fields\":[{\"name\":\"stringField\",\"type\":{\"type\":\"string\",\"avro.java.string\":\"String\"}," +
-            "\"default\":\"\"},{\"name\":\"doubleField\",\"type\":\"double\",\"default\":0}]}],\"default\":null}]}";
+            "\"default\":\"\"},{\"name\":\"doubleField\",\"type\":\"double\",\"default\":0.0}]}],\"default\":null}]}";
 
     private static final String EXPECTED_PARSING_INFO = "{\"__alwaysAllowNull\":\"true\",\"__jsr310ConversionEnabled\":\"false\"," +
             "\"__PARSING_INFO__\":\"[{\\\"number\\\":1,\\\"name\\\":\\\"stringField\\\",\\\"type\\\":\\\"STRING\\\"," +
diff --git a/pulsar-io/kafka-connect-adaptor/pom.xml b/pulsar-io/kafka-connect-adaptor/pom.xml
index 7b49b337f6c03..131cf605cb7bd 100644
--- a/pulsar-io/kafka-connect-adaptor/pom.xml
+++ b/pulsar-io/kafka-connect-adaptor/pom.xml
@@ -116,6 +116,12 @@
       <groupId>io.confluent</groupId>
       <artifactId>kafka-connect-avro-converter</artifactId>
       <version>${confluent.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>org.apache.avro</groupId>
+          <artifactId>avro</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
index aa2577776619e..7c3f0f70cf228 100644
--- a/pulsar-sql/presto-distribution/LICENSE
+++ b/pulsar-sql/presto-distribution/LICENSE
@@ -372,8 +372,8 @@ The Apache Software License, Version 2.0
   * OpenCSV
     - opencsv-2.3.jar
   * Avro
-    - avro-1.10.2.jar
-    - avro-protobuf-1.10.2.jar
+    - avro-1.11.3.jar
+    - avro-protobuf-1.11.3.jar
   * Caffeine
     - caffeine-2.9.1.jar
   * Javax