This is an automated email from the ASF dual-hosted git repository.
shoothzj pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git
The following commit(s) were added to refs/heads/master by this push:
new b8cc1fb10a Override OkHttp Version in Otel to Fix CVE-2023-3635 (#4400)
b8cc1fb10a is described below
commit b8cc1fb10a45073ad38ca26b566f01afb3a31f99
Author: ZhangJian He <[email protected]>
AuthorDate: Thu May 30 14:51:47 2024 +0800
Override OkHttp Version in Otel to Fix CVE-2023-3635 (#4400)
Signed-off-by: ZhangJian He <[email protected]>
---
.../src/main/resources/LICENSE-all.bin.txt | 18 +++++++--------
.../src/main/resources/LICENSE-server.bin.txt | 18 +++++++--------
pom.xml | 27 ++++++++++++++++++++++
3 files changed, 45 insertions(+), 18 deletions(-)
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
index ae62c070e1..a9c71cce5e 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
@@ -324,9 +324,9 @@ Apache Software License, Version 2.
- lib/io.reactivex.rxjava3-rxjava-3.0.1.jar [51]
- lib/org.hdrhistogram-HdrHistogram-2.1.10.jar [52]
- lib/com.carrotsearch-hppc-0.9.1.jar [53]
-- lib/com.squareup.okhttp3-okhttp-4.11.0.jar [54]
-- lib/com.squareup.okio-okio-3.2.0.jar [54]
-- lib/com.squareup.okio-okio-jvm-3.2.0.jar [54]
+- lib/com.squareup.okhttp3-okhttp-4.12.0.jar [54]
+- lib/com.squareup.okio-okio-3.6.0.jar [54]
+- lib/com.squareup.okio-okio-jvm-3.6.0.jar [54]
- lib/io.opentelemetry-opentelemetry-api-1.26.0.jar [55]
- lib/io.opentelemetry-opentelemetry-api-events-1.26.0-alpha.jar [55]
- lib/io.opentelemetry-opentelemetry-api-logs-1.26.0-alpha.jar [55]
@@ -348,10 +348,10 @@ Apache Software License, Version 2.
-
lib/io.opentelemetry.instrumentation-opentelemetry-instrumentation-api-semconv-1.26.0-alpha.jar
[55]
-
lib/io.opentelemetry.instrumentation-opentelemetry-runtime-metrics-1.26.0-alpha.jar
[54]
- lib/org.jetbrains-annotations-13.0.jar [56]
-- lib/org.jetbrains.kotlin-kotlin-stdlib-1.6.20.jar [56]
-- lib/org.jetbrains.kotlin-kotlin-stdlib-common-1.6.20.jar [56]
-- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.6.20.jar [56]
-- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.6.20.jar [56]
+- lib/org.jetbrains.kotlin-kotlin-stdlib-1.8.21.jar [56]
+- lib/org.jetbrains.kotlin-kotlin-stdlib-common-1.8.21.jar [56]
+- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.8.21.jar [56]
+- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.8.21.jar [56]
- lib/com.lmax-disruptor-4.0.0.jar [57]
[1] Source available at
https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.17.1
@@ -402,9 +402,9 @@ Apache Software License, Version 2.
[51] Source available at https://github.com/ReactiveX/RxJava/tree/v3.0.1
[52] Source available at
https://github.com/HdrHistogram/HdrHistogram/tree/HdrHistogram-2.1.10
[53] Source available at https://github.com/carrotsearch/hppc/tree/0.9.1
-[54] Source available at
https://github.com/square/okio/releases/tag/parent-3.2.0
+[54] Source available at
https://github.com/square/okio/releases/tag/parent-3.6.0
[55] Source available at
https://github.com/open-telemetry/opentelemetry-java/releases/tag/v1.26.0
-[56] Source available at
https://github.com/JetBrains/kotlin/releases/tag/v1.6.20
+[56] Source available at
https://github.com/JetBrains/kotlin/releases/tag/v1.8.21
[57] Source available at
https://github.com/LMAX-Exchange/disruptor/releases/tag/4.0.0
------------------------------------------------------------------------------------
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
index 1f167971c4..8474beb8e8 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
@@ -320,9 +320,9 @@ Apache Software License, Version 2.
- lib/org.xerial.snappy-snappy-java-1.1.10.5.jar [50]
- lib/io.reactivex.rxjava3-rxjava-3.0.1.jar [51]
- lib/com.carrotsearch-hppc-0.9.1.jar [52]
-- lib/com.squareup.okhttp3-okhttp-4.11.0.jar [53]
-- lib/com.squareup.okio-okio-3.2.0.jar [53]
-- lib/com.squareup.okio-okio-jvm-3.2.0.jar [53]
+- lib/com.squareup.okhttp3-okhttp-4.12.0.jar [53]
+- lib/com.squareup.okio-okio-3.6.0.jar [53]
+- lib/com.squareup.okio-okio-jvm-3.6.0.jar [53]
- lib/io.opentelemetry-opentelemetry-api-1.26.0.jar [54]
- lib/io.opentelemetry-opentelemetry-api-events-1.26.0-alpha.jar [54]
- lib/io.opentelemetry-opentelemetry-api-logs-1.26.0-alpha.jar [54]
@@ -344,10 +344,10 @@ Apache Software License, Version 2.
-
lib/io.opentelemetry.instrumentation-opentelemetry-instrumentation-api-semconv-1.26.0-alpha.jar
[54]
-
lib/io.opentelemetry.instrumentation-opentelemetry-runtime-metrics-1.26.0-alpha.jar
[54]
- lib/org.jetbrains-annotations-13.0.jar [55]
-- lib/org.jetbrains.kotlin-kotlin-stdlib-1.6.20.jar [55]
-- lib/org.jetbrains.kotlin-kotlin-stdlib-common-1.6.20.jar [55]
-- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.6.20.jar [55]
-- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.6.20.jar [55]
+- lib/org.jetbrains.kotlin-kotlin-stdlib-1.8.21.jar [55]
+- lib/org.jetbrains.kotlin-kotlin-stdlib-common-1.8.21.jar [55]
+- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.8.21.jar [55]
+- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.8.21.jar [55]
- lib/com.lmax-disruptor-4.0.0.jar [56]
[1] Source available at
https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.17.1
@@ -397,9 +397,9 @@ Apache Software License, Version 2.
[50] Source available at
https://github.com/xerial/snappy-java/releases/tag/v1.1.10.5
[51] Source available at https://github.com/ReactiveX/RxJava/tree/v3.0.1
[52] Source available at https://github.com/carrotsearch/hppc/tree/0.9.1
-[53] Source available at
https://github.com/square/okio/releases/tag/parent-3.2.0
+[53] Source available at
https://github.com/square/okio/releases/tag/parent-3.6.0
[54] Source available at
https://github.com/open-telemetry/opentelemetry-java/releases/tag/v1.26.0
-[55] Source available at
https://github.com/JetBrains/kotlin/releases/tag/v1.6.20
+[55] Source available at
https://github.com/JetBrains/kotlin/releases/tag/v1.8.21
[56] Source available at
https://github.com/LMAX-Exchange/disruptor/releases/tag/4.0.0
------------------------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index ac0800a5f1..b2fd58d706 100644
--- a/pom.xml
+++ b/pom.xml
@@ -413,6 +413,21 @@
<scope>import</scope>
</dependency>
+ <!-- override otel's okhttp 4.11.0 for now, wait for otel update -->
+ <dependency>
+ <groupId>com.squareup.okhttp3</groupId>
+ <artifactId>okhttp-bom</artifactId>
+ <version>4.12.0</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ <!-- okhttp 4.12.0 use kotlin stdlib 1.8.21 -->
+ <dependency>
+ <groupId>org.jetbrains.kotlin</groupId>
+ <artifactId>kotlin-stdlib-common</artifactId>
+ <version>1.8.21</version>
+ </dependency>
+
<!-- rocksdb dependencies -->
<dependency>
<groupId>org.rocksdb</groupId>
@@ -1119,6 +1134,18 @@
</execution>
</executions>
</plugin>
+ <!-- skip maven source plugin due to
+ Error: Failed to execute goal
org.apache.maven.plugins:maven-source-plugin:3.3.0:jar-no-fork (attach-sources)
on project buildtools:
+ Presumably you have configured maven-source-plugin to execute twice
times in your build.
+ You have to configure a classifier for at least on of them.
+ -->
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-source-plugin</artifactId>
+ <configuration>
+ <skipSource>true</skipSource>
+ </configuration>
+ </plugin>
</plugins>
</build>
</profile>
