This is an automated email from the ASF dual-hosted git repository. jihoonson pushed a commit to branch 0.21.0 in repository https://gitbox.apache.org/repos/asf/druid.git
commit a03dc106f58a7b5b6f92a14b3653bb2e02bdcb60 Author: Jihoon Son <[email protected]> AuthorDate: Thu Apr 15 00:34:12 2021 -0700 Backport security prs to 0.21.0 (#11116) --- extensions-core/kubernetes-extensions/pom.xml | 8 +++- licenses.yaml | 13 ++++--- owasp-dependency-check-suppressions.xml | 55 +++++++++++++++++++++++++++ pom.xml | 2 +- 4 files changed, 70 insertions(+), 8 deletions(-) diff --git a/extensions-core/kubernetes-extensions/pom.xml b/extensions-core/kubernetes-extensions/pom.xml index a22c3dd..b68e46d 100644 --- a/extensions-core/kubernetes-extensions/pom.xml +++ b/extensions-core/kubernetes-extensions/pom.xml @@ -35,7 +35,7 @@ </parent> <properties> - <kubernetes.client.version>10.0.0</kubernetes.client.version> + <kubernetes.client.version>10.0.1</kubernetes.client.version> </properties> <dependencies> @@ -93,6 +93,12 @@ <version>1.68</version> <scope>runtime</scope> </dependency> + <dependency> + <groupId>org.bouncycastle</groupId> + <artifactId>bcprov-ext-jdk15on</artifactId> + <version>1.68</version> + <scope>runtime</scope> + </dependency> <!-- others --> <dependency> diff --git a/licenses.yaml b/licenses.yaml index 2759bf2..ab9ae27 100644 --- a/licenses.yaml +++ b/licenses.yaml @@ -841,7 +841,7 @@ name: kubernetes official java client license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 10.0.0 +version: 10.0.1 libraries: - io.kubernetes: client-java @@ -851,7 +851,7 @@ name: kubernetes official java client api license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 10.0.0 +version: 10.0.1 libraries: - io.kubernetes: client-java-api @@ -861,7 +861,7 @@ name: kubernetes official java client extended license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 10.0.0 +version: 10.0.1 libraries: - io.kubernetes: client-java-extended @@ -981,7 +981,7 @@ name: io.kubernetes client-java-proto license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 10.0.0 +version: 10.0.1 libraries: - io.kubernetes: client-java-proto @@ -1041,7 +1041,7 @@ name: org.bouncycastle bcprov-ext-jdk15on license_category: binary module: extensions/druid-kubernetes-extensions license_name: MIT License -version: 1.66 +version: 1.68 libraries: - org.bouncycastle: bcprov-ext-jdk15on @@ -1962,7 +1962,7 @@ name: Jetty license_category: binary module: java-core license_name: Apache License version 2.0 -version: 9.4.34.v20201102 +version: 9.4.39.v20210325 libraries: - org.eclipse.jetty: jetty-client - org.eclipse.jetty: jetty-continuation @@ -1975,6 +1975,7 @@ libraries: - org.eclipse.jetty: jetty-servlet - org.eclipse.jetty: jetty-servlets - org.eclipse.jetty: jetty-util + - org.eclipse.jetty: jetty-util-ajax notice: | ============================================================== Jetty Web Container diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml index 6a532ef..30147fb 100644 --- a/owasp-dependency-check-suppressions.xml +++ b/owasp-dependency-check-suppressions.xml @@ -58,6 +58,17 @@ <cve>CVE-2020-12691</cve> </suppress> + + <suppress> + <!-- Not much for us to do as a user of the client lib, and no patch is available, + see https://github.com/kubernetes/kubernetes/issues/97076 --> + <notes><![CDATA[ + file name: client-java-10.0.1.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/io\.kubernetes/client\-java.*@10.0.1$</packageUrl> + <cve>CVE-2020-8554</cve> + </suppress> + <!-- FIXME: These are suppressed so that CI can enforce that no new vulnerable dependencies are added. --> <suppress> <!-- @@ -287,5 +298,49 @@ ]]></notes> <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-.*@.*$</packageUrl> <cve>CVE-2018-11765</cve> + <cve>CVE-2020-9492</cve> + </suppress> + <suppress> + <!-- We don't use scala compilation daemon. --> + <notes><![CDATA[ + file name: kafka-clients-2.7.0.jar + ]]></notes> + <cve>CVE-2017-15288</cve> + </suppress> + <suppress until="2021-04-30"> + <!-- Suppress this until https://github.com/apache/druid/issues/11028 is resolved. --> + <notes><![CDATA[ + This vulnerability should be fixed soon and the suppression should be removed. + ]]></notes> + <cve>CVE-2020-13949</cve> + </suppress> + + <suppress> + <!-- (avro, parquet, integration-tests) we don't allow velocity templates to be uploaded by untrusted users --> + <notes><![CDATA[ + file name: velocity-engine-core-2.2.jar: + ]]></notes> + <cve>CVE-2020-13936</cve> + </suppress> + + <suppress> + <!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version --> + <notes><![CDATA[ + file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl> + <cve>CVE-2018-14718</cve> + <cve>CVE-2018-7489</cve> + </suppress> + + <suppress> + <notes><![CDATA[ + file name: solr-solrj-7.7.1.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.solr/[email protected]$</packageUrl> + <cve>CVE-2020-13957</cve> + <cve>CVE-2019-17558</cve> + <cve>CVE-2019-0193</cve> + <cve>CVE-2020-13941</cve> </suppress> </suppressions> diff --git a/pom.xml b/pom.xml index 812c226..657bd6a 100644 --- a/pom.xml +++ b/pom.xml @@ -90,7 +90,7 @@ <guava.version>16.0.1</guava.version> <guice.version>4.1.0</guice.version> <hamcrest.version>1.3</hamcrest.version> - <jetty.version>9.4.34.v20201102</jetty.version> + <jetty.version>9.4.39.v20210325</jetty.version> <jersey.version>1.19.3</jersey.version> <jackson.version>2.10.2</jackson.version> <jackson.databind.version>2.10.5.1</jackson.databind.version> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
