[Bug] protobuf-java needs to be upgraded to 3.25.5 to address CVE-2024-7254

[lhotari]

Search before asking

• I searched in the issues and found nothing similar.

Read release policy

• I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.

Version

Pulsar 3.0.x, 3.3.x and master branch

Minimal reproduce step

protobuf-java needs to be upgraded to 3.25.5 to address CVE-2024-7254

What did you expect to see?

Pulsar dependencies shouldn't contain known high or critical level CVEs.

What did you see instead?

CVE-2024-7254 is categorized high although it's not a threat for Pulsar users in practice.

Anything else?

Mailing list message: https://lists.apache.org/thread/73jk2mx4nj82kxwvwgcqz5m63scqcy2s

Are you willing to submit a PR?

• I'm willing to submit a PR!

[lhotari]

#22263 should be addressed while handling this.

Bookkeeper side needs to be upgraded too. There's PR apache/bookkeeper#4508 for master branch.

[lhotari]

It will also be necessary to handle #22263 so that a client application to later on choose to use a different protobuf-java version. protoc generated stubs are compatible only with a specific version and could break across versions. That's why client applications should be able to select the protobuf-java version going forward. Upgrading to 3.25.5 will be less impactful for client applications since they could then choose to stay on a specific version which is compatible with their protoc generated stub classes.