From 7e608a6e7cc0757fcd835e1538eab7543a335df0 Mon Sep 17 00:00:00 2001
From: Lance Linder <lance@tetrate.io>
Date: Tue, 1 Aug 2023 09:09:05 +0700
Subject: [PATCH] Fix CVE-2023-34455

bumps snappy-java version to fix CVE
---
 pom.xml               | 4 +++-
 zipkin-server/pom.xml | 7 +++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index c1a7db0c4c7..363a1e110c7 100755
--- a/pom.xml
+++ b/pom.xml
@@ -52,7 +52,7 @@
 
     <!-- This allows you to test feature branches with jitpack -->
     <armeria.groupId>com.linecorp.armeria</armeria.groupId>
-    <armeria.version>1.17.2</armeria.version>
+    <armeria.version>1.24.3</armeria.version>
     <!-- Match Armeria version to avoid conflicts including running tests in the IDE -->
     <netty.version>4.1.95.Final</netty.version>
 
@@ -62,6 +62,8 @@
     <java-driver.version>4.11.3</java-driver.version>
     <micrometer.version>1.9.3</micrometer.version>
 
+    <snappy.version>1.1.10.3</snappy.version>
+
     <!-- Used for Generated annotations -->
     <javax-annotation-api.version>1.3.1</javax-annotation-api.version>
 
diff --git a/zipkin-server/pom.xml b/zipkin-server/pom.xml
index f8da15fcff3..f1e28ddd103 100644
--- a/zipkin-server/pom.xml
+++ b/zipkin-server/pom.xml
@@ -110,6 +110,13 @@
       <version>${snakeyaml.version}</version>
     </dependency>
 
+    <!-- Override to avoid CVE-2023-34455 -->
+    <dependency>
+      <groupId>org.xerial.snappy</groupId>
+      <artifactId>snappy-java</artifactId>
+      <version>${snappy.version}</version>
+    </dependency>
+
     <!-- Override log4j 2 version to avoid CVE-2021-44228 -->
     <dependency>
       <groupId>org.apache.logging.log4j</groupId>