Skip to content

[fix][deps] Upgrade Spring, BouncyCastle FIPS, and Vert.x to remediate multiple CVEs #24892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[fix][deps] Upgrade Spring, BouncyCastle FIPS, and Vert.x to remediate multiple CVEs #24892

wants to merge 1 commit into from

Conversation

@guptas6est
Copy link
Contributor

@guptas6est guptas6est commented Oct 24, 2025

Fixes #xyz

Main Issue: #xyz

PIP: #xyz

Motivation

This PR upgrades vulnerable dependencies in Pulsar to address multiple security advisories identified in the recent CVE scan.

CVE IDs remediated:

Modifications

  • Spring 6.1.14 → 6.2.1
  • Vert.x 4.5.10 → 4.5.22
  • BCPKIX FIPS 1.0.7 → 2.0.8
  • Jetty 9.4.57.v20241219 → 9.4.58.v20250814

Verifying this change

  • Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (10MB)
  • Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository:

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Oct 24, 2025
@Technoboy- Technoboy- added this to the 4.2.0 milestone Oct 27, 2025
@Technoboy- Technoboy- added the dependencies Pull requests that update a dependency file label Oct 27, 2025
@lhotari
Copy link
Member

lhotari commented Oct 27, 2025

It's better to handle the updates separate for each dependency so that we would know that what breaks if the CI doesn't pass. In addition, there's a need to update the license files. For example, #24232 is a PR where Jetty was upgraded. Similar separate PRs would be needed in this case.

@lhotari
Copy link
Member

lhotari commented Oct 27, 2025

@guptas6est I'll close this PR and if you are interested, please submit new PRs according following the instructions in my previous comment.

@lhotari lhotari closed this Oct 27, 2025
@lhotari
Copy link
Member

lhotari commented Oct 27, 2025

Found the Jetty 9.4.58 release notes: https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.58.v20250814 . References CVE-2025-5115. These links could be included in the separate PR.

@lhotari
Copy link
Member

lhotari commented Oct 27, 2025

Vert.x is already covered in #24889

@lhotari
Copy link
Member

lhotari commented Oct 27, 2025

Jetty 9.4.58.v20250814 upgrade: #24897

@guptas6est Would you like to continue with the remaining ones in a similar way?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dao-jun dao-jun dao-jun approved these changes

Assignees

@guptas6est guptas6est

Labels

dependencies Pull requests that update a dependency file doc-not-needed Your PR changes do not impact docs

Projects

None yet

Milestone

4.2.0

Development

Successfully merging this pull request may close these issues.

4 participants

@guptas6est @lhotari @dao-jun @Technoboy-