Merge pull request #115 from HongW2019/sdle

Bump 3rd-party components' version to fix vulnerabilities

Author: haojinIntel

LICENSE.txt

@@ -1768,7 +1768,7 @@ library in certain binary distributions, like the python wheels. In the future
 this will likely change to static linkage. zlib has the following license:
 
 zlib.h -- interface of the 'zlib' general purpose compression library
-  version 1.2.11, January 15th, 2017
+  version 1.2.12, March 27, 2022
 
   Copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler
 

cpp/thirdparty/versions.txt

@@ -55,7 +55,7 @@ ARROW_THRIFT_BUILD_VERSION=0.13.0
 ARROW_THRIFT_BUILD_MD5_CHECKSUM=38a27d391a2b03214b444cb13d5664f1
 ARROW_UTF8PROC_BUILD_VERSION=v2.6.1
 ARROW_XSIMD_BUILD_VERSION=e9234cd6e6f4428fc260073b2c34ffe86fda1f34
-ARROW_ZLIB_BUILD_VERSION=1.2.11
+ARROW_ZLIB_BUILD_VERSION=1.2.12
 ARROW_ZSTD_BUILD_VERSION=v1.4.8
 ARROW_FASTPFOR_BUILD_VERSION=2e836403e964708730da4e81c302939b1878c927
 

go/arrow/LICENSE.txt

@@ -1612,7 +1612,7 @@ library in certain binary distributions, like the python wheels. In the future
 this will likely change to static linkage. zlib has the following license:
 
 zlib.h -- interface of the 'zlib' general purpose compression library
-  version 1.2.11, January 15th, 2017
+   version 1.2.12, March 27, 2022
 
   Copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler
 

go/parquet/LICENSE.txt

@@ -1612,7 +1612,7 @@ library in certain binary distributions, like the python wheels. In the future
 this will likely change to static linkage. zlib has the following license:
 
 zlib.h -- interface of the 'zlib' general purpose compression library
-  version 1.2.11, January 15th, 2017
+   version 1.2.12, March 27, 2022
 
   Copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler
 

java/dataset/pom.xml

@@ -25,7 +25,7 @@
     <packaging>jar</packaging>
     <properties>
         <arrow.cpp.build.dir>../../../cpp/release-build/</arrow.cpp.build.dir>
-        <protobuf.version>2.5.0</protobuf.version>
+        <protobuf.version>3.19.4</protobuf.version>
         <parquet.version>1.11.0</parquet.version>
         <avro.version>1.9.1</avro.version>
     </properties>

java/gandiva/pom.xml

@@ -25,7 +25,7 @@
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source>
         <maven.compiler.target>1.8</maven.compiler.target>
-        <protobuf.version>2.5.0</protobuf.version>
+        <protobuf.version>3.19.4</protobuf.version>
         <dep.guava.version>18.0</dep.guava.version>
         <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
         <arrow.cpp.build.dir>../../../cpp/release-build</arrow.cpp.build.dir>

java/vector/pom.xml

@@ -77,7 +77,7 @@
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-compress</artifactId>
-      <version>1.20</version>
+      <version>1.21</version>
     </dependency>
   </dependencies>
 

python/pyarrow/tests/parquet/test_basic.py

@@ -339,7 +339,7 @@ def test_compression_level(use_legacy_dataset):
     # Uncompressed, snappy, lz4 and lzo do not support specifying a compression
     # level.
     # GZIP (zlib) allows for specifying a compression level but as of up
-    # to version 1.2.11 the valid range is [-1, 9].
+    # to version 1.2.12 the valid range is [-1, 9].
     invalid_combinations = [("snappy", 4), ("lz4", 5), ("gzip", -1337),
                             ("None", 444), ("lzo", 14)]
     buf = io.BytesIO()

rust/ballista/docker/rust-base.dockerfile

@@ -59,7 +59,7 @@ RUN echo "Building OpenSSL" && \
 
 RUN echo "Building zlib" && \
     cd /tmp && \
-    ZLIB_VERSION=1.2.11 && \
+    ZLIB_VERSION=1.2.12 && \
     curl -LO "http://zlib.net/zlib-$ZLIB_VERSION.tar.gz" && \
     tar xzf "zlib-$ZLIB_VERSION.tar.gz" && cd "zlib-$ZLIB_VERSION" && \
     CC=musl-gcc ./configure --static --prefix=/usr/local/musl && \