[Bug] protobuf-java needs to be upgraded to 3.25.5 to address CVE-2024-7254 #23341
Open
3 tasks done
Labels
release/blocker
Indicate the PR or issue that should block the release until it gets resolved
type/bug
The PR fixed a bug or issue reported a bug
Search before asking
Read release policy
Version
Pulsar 3.0.x, 3.3.x and master branch
Minimal reproduce step
protobuf-java needs to be upgraded to 3.25.5 to address CVE-2024-7254
What did you expect to see?
Pulsar dependencies shouldn't contain known high or critical level CVEs.
What did you see instead?
CVE-2024-7254 is categorized high although it's not a threat for Pulsar users in practice.
Anything else?
Mailing list message: https://lists.apache.org/thread/73jk2mx4nj82kxwvwgcqz5m63scqcy2s
Are you willing to submit a PR?
The text was updated successfully, but these errors were encountered: