[To dev/1.3] Cherry-pick some CVE fixes (#16901)

HTHou · dependabot[bot] · web-flow · commit c2c27294f8bf · 2025-12-14T09:19:38.000+08:00
* Bump logback version to 1.3.16 (#16671) * Switch to at.yawk.lz4:lz4-java:1.10.0 (#16871) * Upgrade netty and reactor (#16362) * fix netty version * Fix some dependency issues * Fix build error * Bump at.yawk.lz4:lz4-java from 1.10.0 to 1.10.1 (#16874) Bumps [at.yawk.lz4:lz4-java](https://github.com/yawkat/lz4-java) from 1.10.0 to 1.10.1. - [Release notes](https://github.com/yawkat/lz4-java/releases) - [Changelog](https://github.com/yawkat/lz4-java/blob/main/CHANGES.md) - [Commits](yawkat/lz4-java@v1.10.0...v1.10.1) --- updated-dependencies: - dependency-name: at.yawk.lz4:lz4-java dependency-version: 1.10.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix error * fix error * fix compile error --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
diff --git a/LICENSE-binary b/LICENSE-binary
@@ -213,52 +213,53 @@ conditions of the following licenses.
 The binary distribution of this product bundles these dependencies under the
 following license. See licenses/ for text of these licenses.
 
-Apache Software Foundation License 2.0
+Apache License 2.0
 --------------------------------------
 commons-cli:commons-cli:1.5.0
 commons-codec:commons-codec:1.16.1
 org.apache.commons:commons-collections4:4.4
 commons-io:commons-io:2.14.0
-org.apache.commons:commons-lang3:3.13.0
+org.apache.commons:commons-lang3:3.18.0
 com.nimbusds:content-type:2.2
-com.google.code.gson:gson:2.10.1
+com.google.code.gson:gson:2.13.1
 com.google.guava.guava:32.1.2-jre
-com.fasterxml.jackson.core:jackson-annotations:2.15.4
-com.fasterxml.jackson.core:jackson-core:2.15.4
-com.fasterxml.jackson.core:jackson-databind:2.15.4
+com.fasterxml.jackson.core:jackson-annotations:2.16.2
+com.fasterxml.jackson.core:jackson-core:2.16.2
+com.fasterxml.jackson.core:jackson-databind:2.16.2
 jakarta.inject:jakarta.inject:2.6.1
-org.lz4:lz4-java:1.8.0
+at.yawk.lz4:lz4-java:1.10.0
 com.github.stephenc.jcip:jcip-annotations:1.0-1
 com.github.ben-manes.caffeine:caffeine:2.9.3
-org.eclipse.jetty:jetty-http:9.4.56.v20240826
-org.eclipse.jetty:jetty-io:9.4.56.v20240826
-org.eclipse.jetty:jetty-security:9.4.56.v20240826
-org.eclipse.jetty:jetty-server:9.4.56.v20240826
-org.eclipse.jetty:jetty-servlet:9.4.56.v20240826
-org.eclipse.jetty:jetty-util:9.4.56.v20240826
-io.jsonwebtoken:jjwt-api:0.11.5
-io.jsonwebtoken:jjwt-impl:0.11.5
-io.jsonwebtoken:jjwt-jackson:0.11.5
-net.minidev:json-smart:2.5.0
+org.eclipse.jetty:jetty-http:9.4.57.v20241219
+org.eclipse.jetty:jetty-io:9.4.57.v20241219
+org.eclipse.jetty:jetty-security:9.4.57.v20241219
+org.eclipse.jetty:jetty-server:9.4.57.v20241219
+org.eclipse.jetty:jetty-servlet:9.4.57.v20241219
+org.eclipse.jetty:jetty-util:9.4.57.v20241219
+io.jsonwebtoken:jjwt-api:0.12.7
+io.jsonwebtoken:jjwt-impl:0.12.7
+io.jsonwebtoken:jjwt-jackson:0.12.7
+net.minidev:json-smart:2.5.2
 com.google.code.findbugs:jsr305:3.0.2
 com.nimbusds:lang-tag:1.7
 com.librato.metrics:librato-java:2.1.0
 org.apache.thrift:libthrift:0.14.1
 io.dropwizard.metrics:metrics-core:4.2.19
 io.dropwizard.metrics:metrics-jvm:3.2.2
 com.librato.metrics:metrics-librato:5.1.0
-de.fraunhofer.iosb.io.moquette:moquette-broker:0.17
-io.netty:netty-buffer:4.1.110.Final
-io.netty:netty-codec:4.1.110.Final
-io.netty:netty-codec-http:4.1.110.Final
-io.netty:netty-codec-mqtt:4.1.110.Final
-io.netty:netty-common:4.1.110.Final
-io.netty:netty-handler:4.1.110.Final
-io.netty:netty-resolver:4.1.110.Final
-io.netty:netty-transport:4.1.110.Final
-io.netty:netty-transport-native-epoll:4.1.110.Final:linux-x86_64
-io.netty:netty-transport-native-unix-common:4.1.110.Final
-com.nimbusds:nimbus-jose-jwt:9.37.3
+com.github.moquette-io.moquette:moquette-broker:0.18
+io.netty:netty-buffer:4.1.126.Final
+io.netty:netty-codec:4.1.126.Final
+io.netty:netty-codec-http:4.1.126.Final
+io.netty:netty-codec-mqtt:4.1.126.Final
+io.netty:netty-common:4.1.126.Final
+io.netty:netty-handler:4.1.126.Final
+io.netty:netty-resolver:4.1.126.Final
+io.netty:netty-transport:4.1.126.Final
+io.netty:netty-transport-native-epoll:4.1.126.Final:linux-aarch_64
+io.netty:netty-transport-native-epoll:4.1.126.Final:linux-x86_64
+io.netty:netty-transport-native-unix-common:4.1.126.Final
+com.nimbusds:nimbus-jose-jwt:9.37.4
 com.nimbusds:oauth2-oidc-sdk:10.15
 org.osgi:org.osgi.core:7.0.0
 org.osgi:osgi.cmpn:7.0.0
@@ -289,8 +290,8 @@ com.bugsnag:bugsnag:3.7.2
 EPL 1.0
 ------------
 com.h2database:h2-mvstore:2.1.212
-ch.qos.logback:logback-classic:1.3.14
-ch.qos.logback:logback-core:1.3.14
+ch.qos.logback:logback-classic:1.3.15
+ch.qos.logback:logback-core:1.3.15
 
 
 CDDL 1.1
diff --git a/NOTICE b/NOTICE
@@ -1,5 +1,5 @@
 Apache IoTDB
-Copyright 2018-2024 The Apache Software Foundation.
+Copyright 2018-2025 The Apache Software Foundation.
 
 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).
diff --git a/NOTICE-binary b/NOTICE-binary
@@ -1,5 +1,5 @@
 Apache IoTDB
-Copyright 2018-2024 The Apache Software Foundation.
+Copyright 2018-2025 The Apache Software Foundation.
 
 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).
diff --git a/iotdb-core/datanode/pom.xml b/iotdb-core/datanode/pom.xml
@@ -173,10 +173,6 @@
             <groupId>net.java.dev.jna</groupId>
             <artifactId>jna-platform</artifactId>
         </dependency>
-        <dependency>
-            <groupId>io.jsonwebtoken</groupId>
-            <artifactId>jjwt-api</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.eclipse.milo</groupId>
             <artifactId>stack-core</artifactId>
diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/ClientRPCServiceImpl.java
@@ -171,7 +171,6 @@
 import org.apache.iotdb.service.rpc.thrift.TSyncTransportMetaInfo;
 
 import io.airlift.units.Duration;
-import io.jsonwebtoken.lang.Strings;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.thrift.TException;
 import org.apache.tsfile.block.column.Column;
@@ -1151,7 +1150,7 @@ public TSExecuteStatementResp executeGroupByQueryIntervalQuery(TSGroupByQueryInt
 
       String database = req.getDatabase();
       if (StringUtils.isEmpty(database)) {
-        String[] splits = Strings.split(req.getDevice(), "\\.");
+        String[] splits = req.getDevice().split("\\.");
         database = String.format("%s.%s", splits[0], splits[1]);
       }
       String deviceId = req.getDevice();
diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/utils/datastructure/TVList.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/utils/datastructure/TVList.java
@@ -964,7 +964,7 @@ public TsBlock nextBatch() {
       TSDataType dataType = getDataType();
       int maxRowCountOfCurrentBatch =
           Math.min(
-              paginationController.hasLimit()
+              paginationController.hasSetLimit()
                   ? (int) paginationController.getCurLimit()
                   : Integer.MAX_VALUE,
               Math.min(maxNumberOfPointsInPage, rows - index));
diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java
@@ -30,7 +30,6 @@
 import org.apache.iotdb.db.utils.EnvironmentUtils;
 import org.apache.iotdb.db.utils.constant.TestConstant;
 
-import io.jsonwebtoken.lang.Assert;
 import org.apache.commons.io.FileUtils;
 import org.junit.After;
 import org.junit.Before;
@@ -171,8 +170,8 @@ public void testPathCheckForUpgrade() throws AuthException, IllegalPathException
         }
       }
     }
-    Assert.isTrue(manager.getRole("test").getPathPrivilegeList().size() == 4);
-    Assert.isTrue(!manager.getRole("test").getServiceReady());
+    assertEquals(4, manager.getRole("test").getPathPrivilegeList().size());
+    assertFalse(manager.getRole("test").getServiceReady());
     manager.checkAndRefreshPathPri();
 
     // after refresh. we will have three path:
@@ -217,17 +216,17 @@ public void testPrivRefreshSingle() throws AuthException, IllegalPathException {
       PartialPath path2 = new PartialPath("root.d.a");
       for (PrivilegeType pri : item.getSubPri()) {
         if (pri.isPathRelevant()) {
-          Assert.isTrue(manager.getRole("test").checkPathPrivilege(path1, pri.ordinal()));
-          Assert.isTrue(manager.getRole("test").checkPathPrivilege(path2, pri.ordinal()));
+          assertTrue(manager.getRole("test").checkPathPrivilege(path1, pri.ordinal()));
+          assertTrue(manager.getRole("test").checkPathPrivilege(path2, pri.ordinal()));
           manager.getRole("test").removePathPrivilege(path1, pri.ordinal());
           manager.getRole("test").removePathPrivilege(path2, pri.ordinal());
         } else {
-          Assert.isTrue(manager.getRole("test").checkSysPrivilege(pri.ordinal()));
+          assertTrue(manager.getRole("test").checkSysPrivilege(pri.ordinal()));
           manager.getRole("test").removeSysPrivilege(pri.ordinal());
         }
       }
-      Assert.isTrue(manager.getRole("test").getPathPrivilegeList().isEmpty());
-      Assert.isTrue(manager.getRole("test").getSysPrivilege().isEmpty());
+      assertTrue(manager.getRole("test").getPathPrivilegeList().isEmpty());
+      assertTrue(manager.getRole("test").getSysPrivilege().isEmpty());
     }
   }
 }
diff --git a/iotdb-core/metrics/interface/pom.xml b/iotdb-core/metrics/interface/pom.xml
@@ -82,7 +82,6 @@
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-http</artifactId>
-            <version>4.1.119.Final</version>
         </dependency>
         <dependency>
             <groupId>org.reactivestreams</groupId>
diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java
@@ -194,11 +194,11 @@ public String getIoTDBUserName(String token) {
   private Claims validateToken(String token) {
     return Jwts.parser()
         // Basically ignore the Expiration Date, if there is any???
-        .setAllowedClockSkewSeconds(Long.MAX_VALUE / 1000)
-        // .setSigningKey(DatatypeConverter.parseBase64Binary(secret))
-        .setSigningKey(providerKey)
-        .parseClaimsJws(token)
-        .getBody();
+        .clockSkewSeconds(Long.MAX_VALUE / 1000)
+        .verifyWith(providerKey)
+        .build()
+        .parseSignedClaims(token)
+        .getPayload();
   }
 
   private String getUsername(Claims claims) {
diff --git a/pom.xml b/pom.xml
@@ -60,6 +60,7 @@
         <argLine/>
         <awaitility.version>4.2.0</awaitility.version>
         <boost.include.dir/>
+        <bouncycastle.version>1.81</bouncycastle.version>
         <!-- This was the last version to support Java 8 -->
         <caffeine.version>2.9.3</caffeine.version>
         <cglib.version>3.3.0</cglib.version>
@@ -86,7 +87,7 @@
         <fusesource-mqtt-client.version>1.16</fusesource-mqtt-client.version>
         <!-- JDK1.8 only support google java format 1.7-->
         <google.java.format.version>1.22.0</google.java.format.version>
-        <gson.version>2.10.1</gson.version>
+        <gson.version>2.13.1</gson.version>
         <guava.version>32.1.2-jre</guava.version>
         <!-- This was the last version to support Java 8 -->
         <h2.version>2.2.224</h2.version>
@@ -110,15 +111,15 @@
         <jersey.version>2.40</jersey.version>
         <!-- This was the last version to support Java 8 -->
         <jetty.version>9.4.57.v20241219</jetty.version>
-        <jjwt.version>0.11.5</jjwt.version>
+        <jjwt.version>0.12.7</jjwt.version>
         <jline.version>3.26.2</jline.version>
         <jna.version>5.14.0</jna.version>
         <json-smart.version>2.5.2</json-smart.version>
         <jtransforms.version>3.1</jtransforms.version>
         <junit.version>4.13.2</junit.version>
         <!-- This was the last version to support Java 8 -->
-        <logback.version>1.3.15</logback.version>
-        <lz4-java.version>1.8.0</lz4-java.version>
+        <logback.version>1.3.16</logback.version>
+        <lz4-java.version>1.10.1</lz4-java.version>
         <maven.assembly.version>3.6.0</maven.assembly.version>
         <maven.compiler.source>1.8</maven.compiler.source>
         <maven.compiler.target>1.8</maven.compiler.target>
@@ -129,8 +130,8 @@
         <!-- This was the last version to support Java 8 -->
         <!--mockito.version>4.11.0</mockito.version-->
         <moquette.version>0.18.0</moquette.version>
-        <netty.version>4.1.115.Final</netty.version>
-        <nimbus-jose-jwt.version>9.37.3</nimbus-jose-jwt.version>
+        <netty.version>4.1.126.Final</netty.version>
+        <nimbus-jose-jwt.version>9.37.4</nimbus-jose-jwt.version>
         <oauth2-oidc-sdk.version>10.15</oauth2-oidc-sdk.version>
         <!-- This was the last version to support Java 8 -->
         <openapi.generator.version>6.6.0</openapi.generator.version>
@@ -146,8 +147,8 @@
     -->
         <ratis.version>3.2.1</ratis.version>
         <reactive-streams.version>1.0.4</reactive-streams.version>
-        <reactor-netty.version>1.1.20</reactor-netty.version>
-        <reactor.version>3.5.18</reactor.version>
+        <reactor-netty.version>1.2.9</reactor-netty.version>
+        <reactor.version>3.7.9</reactor.version>
         <reflections.version>0.10.2</reflections.version>
         <slf4j.version>2.0.9</slf4j.version>
         <snappy-java.version>1.1.10.5</snappy-java.version>
@@ -175,7 +176,7 @@
         <thrift.version>0.14.1</thrift.version>
         <xz.version>1.9</xz.version>
         <zstd-jni.version>1.5.6-3</zstd-jni.version>
-        <tsfile.version>1.1.3-251028-SNAPSHOT</tsfile.version>
+        <tsfile.version>1.1.3-251212-SNAPSHOT</tsfile.version>
     </properties>
     <!--
     if we claim dependencies in dependencyManagement, then we do not claim
@@ -311,13 +312,18 @@
             <dependency>
                 <groupId>org.bouncycastle</groupId>
                 <artifactId>bcprov-jdk18on</artifactId>
-                <version>1.78</version>
+                <version>${bouncycastle.version}</version>
             </dependency>
             <dependency>
                 <groupId>commons-io</groupId>
                 <artifactId>commons-io</artifactId>
                 <version>${commons-io.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.tsfile</groupId>
+                <artifactId>tsfile</artifactId>
+                <version>${tsfile.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.apache.ratis</groupId>
                 <artifactId>ratis-server</artifactId>
@@ -509,7 +515,7 @@
                 <version>${zstd-jni.version}</version>
             </dependency>
             <dependency>
-                <groupId>org.lz4</groupId>
+                <groupId>at.yawk.lz4</groupId>
                 <artifactId>lz4-java</artifactId>
                 <version>${lz4-java.version}</version>
             </dependency>

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,6 @@`
`30`	`30`	`import org.apache.iotdb.db.utils.EnvironmentUtils;`
`31`	`31`	`import org.apache.iotdb.db.utils.constant.TestConstant;`
`32`	`32`
`33`		`-import io.jsonwebtoken.lang.Assert;`
`34`	`33`	`import org.apache.commons.io.FileUtils;`
`35`	`34`	`import org.junit.After;`
`36`	`35`	`import org.junit.Before;`
`@@ -171,8 +170,8 @@ public void testPathCheckForUpgrade() throws AuthException, IllegalPathException`
`171`	`170`	`}`
`172`	`171`	`}`
`173`	`172`	`}`
`174`		`- Assert.isTrue(manager.getRole("test").getPathPrivilegeList().size() == 4);`
`175`		`- Assert.isTrue(!manager.getRole("test").getServiceReady());`
	`173`	`+ assertEquals(4, manager.getRole("test").getPathPrivilegeList().size());`
	`174`	`+ assertFalse(manager.getRole("test").getServiceReady());`
`176`	`175`	`manager.checkAndRefreshPathPri();`
`177`	`176`
`178`	`177`	`// after refresh. we will have three path:`
`@@ -217,17 +216,17 @@ public void testPrivRefreshSingle() throws AuthException, IllegalPathException {`
`217`	`216`	`PartialPath path2 = new PartialPath("root.d.a");`
`218`	`217`	`for (PrivilegeType pri : item.getSubPri()) {`
`219`	`218`	`if (pri.isPathRelevant()) {`
`220`		`- Assert.isTrue(manager.getRole("test").checkPathPrivilege(path1, pri.ordinal()));`
`221`		`- Assert.isTrue(manager.getRole("test").checkPathPrivilege(path2, pri.ordinal()));`
	`219`	`+ assertTrue(manager.getRole("test").checkPathPrivilege(path1, pri.ordinal()));`
	`220`	`+ assertTrue(manager.getRole("test").checkPathPrivilege(path2, pri.ordinal()));`
`222`	`221`	`manager.getRole("test").removePathPrivilege(path1, pri.ordinal());`
`223`	`222`	`manager.getRole("test").removePathPrivilege(path2, pri.ordinal());`
`224`	`223`	`} else {`
`225`		`- Assert.isTrue(manager.getRole("test").checkSysPrivilege(pri.ordinal()));`
	`224`	`+ assertTrue(manager.getRole("test").checkSysPrivilege(pri.ordinal()));`
`226`	`225`	`manager.getRole("test").removeSysPrivilege(pri.ordinal());`
`227`	`226`	`}`
`228`	`227`	`}`
`229`		`- Assert.isTrue(manager.getRole("test").getPathPrivilegeList().isEmpty());`
`230`		`- Assert.isTrue(manager.getRole("test").getSysPrivilege().isEmpty());`
	`228`	`+ assertTrue(manager.getRole("test").getPathPrivilegeList().isEmpty());`
	`229`	`+ assertTrue(manager.getRole("test").getSysPrivilege().isEmpty());`
`231`	`230`	`}`
`232`	`231`	`}`
`233`	`232`	`}`