(bookkeeper) branch branch-4.17 updated: Override OkHttp Version in Otel to Fix CVE-2023-3635 (#4400)

shoothzj Wed, 29 May 2024 23:56:57 -0700

This is an automated email from the ASF dual-hosted git repository.

shoothzj pushed a commit to branch branch-4.17
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git



The following commit(s) were added to refs/heads/branch-4.17 by this push:
     new f8371a3055 Override OkHttp Version in Otel to Fix CVE-2023-3635 (#4400)
f8371a3055 is described below

commit f8371a30554e0a763debca5060d7bab49be28d4a
Author: ZhangJian He <[email protected]>
AuthorDate: Thu May 30 14:51:47 2024 +0800

    Override OkHttp Version in Otel to Fix CVE-2023-3635 (#4400)
    
    Signed-off-by: ZhangJian He <[email protected]>
    
    (cherry picked from commit b8cc1fb10a45073ad38ca26b566f01afb3a31f99)
    Signed-off-by: ZhangJian He <[email protected]>
---
 .../src/main/resources/LICENSE-all.bin.txt         | 10 ++++----
 .../src/main/resources/LICENSE-server.bin.txt      | 18 +++++++--------
 pom.xml                                            | 27 ++++++++++++++++++++++
 3 files changed, 41 insertions(+), 14 deletions(-)

diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt 
b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
index f8e741a6df..23312521b4 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
@@ -321,9 +321,9 @@ Apache Software License, Version 2.
 - lib/io.reactivex.rxjava3-rxjava-3.0.1.jar [51]
 - lib/org.hdrhistogram-HdrHistogram-2.1.10.jar [52]
 - lib/com.carrotsearch-hppc-0.9.1.jar [53]
-- lib/com.squareup.okhttp3-okhttp-4.11.0.jar [54]
-- lib/com.squareup.okio-okio-3.2.0.jar [54]
-- lib/com.squareup.okio-okio-jvm-3.2.0.jar [54]
+- lib/com.squareup.okhttp3-okhttp-4.12.0.jar [54]
+- lib/com.squareup.okio-okio-3.6.0.jar [54]
+- lib/com.squareup.okio-okio-jvm-3.6.0.jar [54]
 - lib/io.opentelemetry-opentelemetry-api-1.26.0.jar [55]
 - lib/io.opentelemetry-opentelemetry-api-events-1.26.0-alpha.jar [55]
 - lib/io.opentelemetry-opentelemetry-api-logs-1.26.0-alpha.jar [55]
@@ -398,9 +398,9 @@ Apache Software License, Version 2.
 [51] Source available at https://github.com/ReactiveX/RxJava/tree/v3.0.1
 [52] Source available at 
https://github.com/HdrHistogram/HdrHistogram/tree/HdrHistogram-2.1.10
 [53] Source available at https://github.com/carrotsearch/hppc/tree/0.9.1
-[54] Source available at 
https://github.com/square/okio/releases/tag/parent-3.2.0
+[54] Source available at 
https://github.com/square/okio/releases/tag/parent-3.6.0
 [55] Source available at 
https://github.com/open-telemetry/opentelemetry-java/releases/tag/v1.26.0
-[56] Source available at 
https://github.com/JetBrains/kotlin/releases/tag/v1.6.20
+[56] Source available at 
https://github.com/JetBrains/kotlin/releases/tag/v1.8.21
 
 
------------------------------------------------------------------------------------
 lib/io.netty-netty-codec-4.1.108.Final.jar bundles some 3rd party dependencies
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt 
b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
index e82e8a83d8..2a9584cf5f 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
@@ -317,9 +317,9 @@ Apache Software License, Version 2.
 - lib/org.xerial.snappy-snappy-java-1.1.10.5.jar [50]
 - lib/io.reactivex.rxjava3-rxjava-3.0.1.jar [51]
 - lib/com.carrotsearch-hppc-0.9.1.jar [52]
-- lib/com.squareup.okhttp3-okhttp-4.11.0.jar [53]
-- lib/com.squareup.okio-okio-3.2.0.jar [53]
-- lib/com.squareup.okio-okio-jvm-3.2.0.jar [53]
+- lib/com.squareup.okhttp3-okhttp-4.12.0.jar [53]
+- lib/com.squareup.okio-okio-3.6.0.jar [53]
+- lib/com.squareup.okio-okio-jvm-3.6.0.jar [53]
 - lib/io.opentelemetry-opentelemetry-api-1.26.0.jar [54]
 - lib/io.opentelemetry-opentelemetry-api-events-1.26.0-alpha.jar [54]
 - lib/io.opentelemetry-opentelemetry-api-logs-1.26.0-alpha.jar [54]
@@ -341,10 +341,10 @@ Apache Software License, Version 2.
 - 
lib/io.opentelemetry.instrumentation-opentelemetry-instrumentation-api-semconv-1.26.0-alpha.jar
 [54]
 - 
lib/io.opentelemetry.instrumentation-opentelemetry-runtime-metrics-1.26.0-alpha.jar
 [54]
 - lib/org.jetbrains-annotations-13.0.jar [55]
-- lib/org.jetbrains.kotlin-kotlin-stdlib-1.6.20.jar [55]
-- lib/org.jetbrains.kotlin-kotlin-stdlib-common-1.6.20.jar [55]
-- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.6.20.jar [55]
-- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.6.20.jar [55]
+- lib/org.jetbrains.kotlin-kotlin-stdlib-1.8.21.jar [55]
+- lib/org.jetbrains.kotlin-kotlin-stdlib-common-1.8.21.jar [55]
+- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.8.21.jar [55]
+- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.8.21.jar [55]
 
 [1] Source available at 
https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.17.1
 [2] Source available at 
https://github.com/FasterXML/jackson-core/tree/jackson-core-2.17.1
@@ -393,9 +393,9 @@ Apache Software License, Version 2.
 [50] Source available at 
https://github.com/xerial/snappy-java/releases/tag/v1.1.10.5
 [51] Source available at https://github.com/ReactiveX/RxJava/tree/v3.0.1
 [52] Source available at https://github.com/carrotsearch/hppc/tree/0.9.1
-[53] Source available at 
https://github.com/square/okio/releases/tag/parent-3.2.0
+[53] Source available at 
https://github.com/square/okio/releases/tag/parent-3.6.0
 [54] Source available at 
https://github.com/open-telemetry/opentelemetry-java/releases/tag/v1.26.0
-[55] Source available at 
https://github.com/JetBrains/kotlin/releases/tag/v1.6.20
+[55] Source available at 
https://github.com/JetBrains/kotlin/releases/tag/v1.8.21
 
 
------------------------------------------------------------------------------------
 lib/io.netty-netty-codec-4.1.108.Final.jar bundles some 3rd party dependencies
diff --git a/pom.xml b/pom.xml
index fe14ff5936..7ecce46449 100644
--- a/pom.xml
+++ b/pom.xml
@@ -412,6 +412,21 @@
         <scope>import</scope>
       </dependency>
 
+      <!-- override otel's okhttp 4.11.0 for now, wait for otel update -->
+      <dependency>
+        <groupId>com.squareup.okhttp3</groupId>
+        <artifactId>okhttp-bom</artifactId>
+        <version>4.12.0</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <!-- okhttp 4.12.0 use kotlin stdlib 1.8.21 -->
+      <dependency>
+        <groupId>org.jetbrains.kotlin</groupId>
+        <artifactId>kotlin-stdlib-common</artifactId>
+        <version>1.8.21</version>
+      </dependency>
+
       <!-- rocksdb dependencies -->
       <dependency>
         <groupId>org.rocksdb</groupId>
@@ -1123,6 +1138,18 @@
               </execution>
             </executions>
           </plugin>
+          <!-- skip maven source plugin due to
+          Error: Failed to execute goal 
org.apache.maven.plugins:maven-source-plugin:3.3.0:jar-no-fork (attach-sources) 
on project buildtools:
+          Presumably you have configured maven-source-plugin to execute twice 
times in your build.
+          You have to configure a classifier for at least on of them.
+          -->
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-source-plugin</artifactId>
+            <configuration>
+              <skipSource>true</skipSource>
+            </configuration>
+          </plugin>
         </plugins>
       </build>
     </profile>

(bookkeeper) branch branch-4.17 updated: Override OkHttp Version in Otel to Fix CVE-2023-3635 (#4400)

Reply via email to