(druid) branch 30.0.0 updated: [Backport] update dependencies to address CVEs (#16374) (#16395)

kfaraz Mon, 06 May 2024 22:47:03 -0700

This is an automated email from the ASF dual-hosted git repository.

kfaraz pushed a commit to branch 30.0.0
in repository https://gitbox.apache.org/repos/asf/druid.git



The following commit(s) were added to refs/heads/30.0.0 by this push:
     new b26394e15c4 [Backport] update dependencies to address CVEs (#16374) 
(#16395)
b26394e15c4 is described below

commit b26394e15c49c55a67b0bc842b1dd8e604a5187a
Author: Adarsh Sanjeev <[email protected]>
AuthorDate: Tue May 7 11:16:53 2024 +0530

    [Backport] update dependencies to address CVEs (#16374) (#16395)
    
    update dependencies to address new batch of CVEs:
    - Azure POM from 1.2.19 to 1.2.23 to update transitive dependency 
nimbus-jose-jwt to address:  CVE-2023-52428
    - commons-configuration2 from 2.8.0 to 2.10.1 to address: CVE-2024-29131 
CVE-2024-29133
    - bcpkix-jdk18on from 1.76 to 1.78.1 to address: CVE-2024-30172 
CVE-2024-30171 CVE-2024-29857
    
    Co-authored-by: Jan Werner 
<[email protected]>
---
 extensions-core/azure-extensions/pom.xml |  2 +-
 licenses.yaml                            | 52 +++++++++++++++++++++++---------
 pom.xml                                  | 14 +++++++++
 3 files changed, 52 insertions(+), 16 deletions(-)

diff --git a/extensions-core/azure-extensions/pom.xml 
b/extensions-core/azure-extensions/pom.xml
index f5c66aea89b..8fb83d90ea8 100644
--- a/extensions-core/azure-extensions/pom.xml
+++ b/extensions-core/azure-extensions/pom.xml
@@ -38,7 +38,7 @@
             <dependency>
                 <groupId>com.azure</groupId>
                 <artifactId>azure-sdk-bom</artifactId>
-                <version>1.2.19</version>
+                <version>1.2.23</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
diff --git a/licenses.yaml b/licenses.yaml
index f854586c235..ff0c0aaaa1f 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -652,7 +652,7 @@ name: Apache Commons Configuration
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 2.8.0
+version: 2.10.1
 libraries:
   - org.apache.commons: commons-configuration2
 
@@ -1054,7 +1054,7 @@ name: org.bouncycastle bcprov-jdk18on
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: MIT License
-version: "1.76"
+version: "1.78.1"
 libraries:
   - org.bouncycastle: bcprov-jdk18on
   - org.bouncycastle: bcprov-ext-jdk18on
@@ -4223,7 +4223,7 @@ license_category: binary
 module: extensions/druid-azure-extensions
 license_name: MIT License
 copyright: Microsoft
-version: 1.11.1
+version: 1.12.0
 libraries:
   - com.azure: azure-identity
 
@@ -4234,18 +4234,29 @@ license_category: binary
 module: extensions/druid-azure-extensions
 license_name: MIT License
 copyright: Microsoft
-version: 12.21.1
+version: 12.21.4
 libraries:
   - com.azure: azure-storage-blob-batch
 
 ---
 
+name: Microsoft Azure  Blob Storage SDK
+license_category: binary
+module: extensions/druid-azure-extensions
+license_name: MIT License
+copyright: Microsoft
+version: 12.25.4
+libraries:
+  - com.azure: azure-storage-blob
+
+---
+
 name: Microsoft Azure Storage Common
 license_category: binary
 module: extensions/druid-azure-extensions
 license_name: MIT License
 copyright: Microsoft
-version: 12.24.1
+version: 12.24.4
 libraries:
   - com.azure: azure-storage-common
 
@@ -4256,7 +4267,7 @@ license_category: binary
 module: extensions/druid-azure-extensions
 license_name: MIT License
 copyright: Microsoft
-version: 12.10.1
+version: 12.10.4
 libraries:
   - com.azure: azure-storage-internal-avro
 
@@ -4271,13 +4282,24 @@ version: 1.1.0
 libraries:
   - com.azure: azure-json
 
+---
+
+name: Microsoft Azure XML
+license_category: binary
+module: extensions/druid-azure-extensions
+license_name: MIT License
+copyright: Microsoft
+version: 1.0.0
+libraries:
+  - com.azure: azure-xml
+
 ---
 name: Microsoft Azure Netty Http
 license_category: binary
 module: extensions/druid-azure-extensions
 license_name: MIT License
 copyright: Microsoft
-version: 1.13.11
+version: 1.14.2
 libraries:
   - com.azure: azure-core-http-netty
 
@@ -4288,7 +4310,7 @@ license_category: binary
 module: extensions/druid-azure-extensions
 license_name: MIT License
 copyright: Microsoft
-version: 1.45.1
+version: 1.48.0
 libraries:
   - com.azure: azure-core
 
@@ -4299,7 +4321,7 @@ license_category: binary
 module: extensions/druid-azure-extensions
 license_name: MIT License
 copyright: Microsoft
-version: 1.14.0
+version: 1.15.0
 libraries:
   - com.microsoft.azure: msal4j
 
@@ -4310,7 +4332,7 @@ license_category: binary
 module: extensions/druid-azure-extensions
 license_name: MIT License
 copyright: Microsoft
-version: 1.2.0
+version: 1.3.0
 libraries:
   - com.microsoft.azure: msal4j-persistence-extension
 
@@ -4320,7 +4342,7 @@ name: NimbusDS Content Type
 license_category: binary
 module: extensions/druid-azure-extensions
 license_name: Apache License version 2.0
-version: 2.2
+version: 2.3
 libraries:
   - com.nimbusds: content-type
 
@@ -4330,7 +4352,7 @@ name: NimbusDS Jose
 license_category: binary
 module: extensions/druid-azure-extensions
 license_name: Apache License version 2.0
-version: 9.30.2
+version: 9.37.3
 libraries:
   - com.nimbusds: nimbus-jose-jwt
 
@@ -4340,7 +4362,7 @@ name: NimbusDS Oauth
 license_category: binary
 module: extensions/druid-azure-extensions
 license_name: Apache License version 2.0
-version: 10.7.1
+version: 11.9.1
 libraries:
   - com.nimbusds: oauth2-oidc-sdk
 
@@ -4350,7 +4372,7 @@ name: Reactor Netty
 license_category: binary
 module: extensions/druid-azure-extensions
 license_name: Apache License version 2.0
-version: 1.0.39
+version: 1.0.43
 libraries:
   - io.projectreactor.netty: reactor-netty-core
   - io.projectreactor.netty: reactor-netty-http
@@ -4361,7 +4383,7 @@ name: Reactor Core
 license_category: binary
 module: extensions/druid-azure-extensions
 license_name: Apache License version 2.0
-version: 3.4.34
+version: 3.4.36
 libraries:
   - io.projectreactor: reactor-core
 ---
diff --git a/pom.xml b/pom.xml
index 7ccc327dd67..cfca79dc6ed 100644
--- a/pom.xml
+++ b/pom.xml
@@ -404,6 +404,20 @@
                 <artifactId>gson</artifactId>
                 <version>${gson.version}</version>
             </dependency>
+            <!-- Transitive dependency of kubernetes-client java and 
docker-java-core
+            in kubernetes-extensions and it-integration tests -->
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcpkix-jdk18on</artifactId>
+                <version>1.78.1</version>
+            </dependency>
+            <!-- Transitive dependency of hive-common in druid-kerberos, 
druid-ranger-security and
+            druid-iceberg-extension  -->
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-configuration2</artifactId>
+                <version>2.10.1</version>
+            </dependency>
             <dependency>
                 <groupId>org.apache.zookeeper</groupId>
                 <artifactId>zookeeper</artifactId>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(druid) branch 30.0.0 updated: [Backport] update dependencies to address CVEs (#16374) (#16395)

Reply via email to