From 31a21516aebddc93b296f93e0008e80d46e75552 Mon Sep 17 00:00:00 2001 From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com> Date: Sat, 20 Dec 2025 23:10:45 +0000 Subject: [PATCH 1/2] druid/35.0.1-r1: fix GHSA-vc5p-v9hr-52mj --- druid.yaml | 2 +- druid/pombump-deps.yaml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/druid.yaml b/druid.yaml index c52309925a1..62254e1ed74 100644 --- a/druid.yaml +++ b/druid.yaml @@ -1,7 +1,7 @@ package: name: druid version: "35.0.1" - epoch: 1 # GHSA-84h7-rjj3-6jx4 + epoch: 2 # GHSA-vc5p-v9hr-52mj description: Apache Druid is a high performance real-time analytics database. copyright: - license: Apache-2.0 diff --git a/druid/pombump-deps.yaml b/druid/pombump-deps.yaml index 891f3e3224a..f7ca36f84e3 100644 --- a/druid/pombump-deps.yaml +++ b/druid/pombump-deps.yaml @@ -41,3 +41,6 @@ patches: - groupId: org.bouncycastle artifactId: bcpkix-jdk18on version: "1.79" + - groupId: org.apache.logging.log4j + artifactId: log4j-core + version: 2.25.3 From f101c42f5c25d6939065569a022451a6aff86042 Mon Sep 17 00:00:00 2001 From: Brian Carey Date: Tue, 30 Dec 2025 11:14:50 +0000 Subject: [PATCH 2/2] druid: Add log4j version bump to v2.25.3 to pombump-properties Signed-off-by: Brian Carey --- druid/pombump-deps.yaml | 3 --- druid/pombump-properties.yaml | 2 ++ 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/druid/pombump-deps.yaml b/druid/pombump-deps.yaml index f7ca36f84e3..891f3e3224a 100644 --- a/druid/pombump-deps.yaml +++ b/druid/pombump-deps.yaml @@ -41,6 +41,3 @@ patches: - groupId: org.bouncycastle artifactId: bcpkix-jdk18on version: "1.79" - - groupId: org.apache.logging.log4j - artifactId: log4j-core - version: 2.25.3 diff --git a/druid/pombump-properties.yaml b/druid/pombump-properties.yaml index 31092cac71e..527d9b7de63 100644 --- a/druid/pombump-properties.yaml +++ b/druid/pombump-properties.yaml @@ -3,3 +3,5 @@ properties: value: "3.9.1" - property: netty4.version value: 4.1.118.Final + - property: log4j.version + value: "2.25.3"