(pinot) branch master updated: Upgrade nimbus and jetty library versions for CVE (#12596)

Thu, 07 Mar 2024 14:40:28 -0800 

This is an automated email from the ASF dual-hosted git repository.

xiangfu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pinot.git


The following commit(s) were added to refs/heads/master by this push:
     new 0a2debf532 Upgrade nimbus and jetty library versions for CVE (#12596)
0a2debf532 is described below

commit 0a2debf53284fbbd4ec1af087a9950aebc8d1fb1
Author: Xiang Fu <[email protected]>
AuthorDate: Thu Mar 7 14:40:17 2024 -0800

    Upgrade nimbus and jetty library versions for CVE (#12596)
---
 pinot-plugins/pinot-file-system/pinot-adls/pom.xml |  5 +++
 .../pinot-stream-ingestion/pinot-pulsar/pom.xml    | 17 +++------
 pom.xml                                            | 40 ++++++++++++++++++++++
 3 files changed, 49 insertions(+), 13 deletions(-)

diff --git a/pinot-plugins/pinot-file-system/pinot-adls/pom.xml 
b/pinot-plugins/pinot-file-system/pinot-adls/pom.xml
index cfc13a704d..cf146e5d5e 100644
--- a/pinot-plugins/pinot-file-system/pinot-adls/pom.xml
+++ b/pinot-plugins/pinot-file-system/pinot-adls/pom.xml
@@ -105,6 +105,11 @@
         <artifactId>wildfly-openssl-java</artifactId>
         <version>${wildfly-openssl.version}</version>
       </dependency>
+      <dependency>
+        <groupId>com.nimbusds</groupId>
+        <artifactId>nimbus-jose-jwt</artifactId>
+        <version>9.37.3</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 </project>
diff --git a/pinot-plugins/pinot-stream-ingestion/pinot-pulsar/pom.xml 
b/pinot-plugins/pinot-stream-ingestion/pinot-pulsar/pom.xml
index 7926c5e33f..f6979225a2 100644
--- a/pinot-plugins/pinot-stream-ingestion/pinot-pulsar/pom.xml
+++ b/pinot-plugins/pinot-stream-ingestion/pinot-pulsar/pom.xml
@@ -38,7 +38,6 @@
     <phase.prop>package</phase.prop>
     <pinot.root>${basedir}/../../..</pinot.root>
     <pulsar.version>2.11.0</pulsar.version>
-    <jetty-server.version>9.4.51.v20230217</jetty-server.version>
     <javax.servlet-api.version>3.1.0</javax.servlet-api.version>
     <javax.ws.rs-api.version>2.1</javax.ws.rs-api.version>
     
<jersey-container-grizzly2-http.version>2.39</jersey-container-grizzly2-http.version>
@@ -54,17 +53,6 @@
   </properties>
 
   <dependencies>
-    <dependency>
-      <groupId>org.eclipse.jetty</groupId>
-      <artifactId>jetty-server</artifactId>
-      <version>${jetty-server.version}</version>
-      <exclusions>
-        <exclusion>
-          <groupId>javax.servlet</groupId>
-          <artifactId>javax.servlet-api</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
     <dependency>
       <groupId>org.testcontainers</groupId>
       <artifactId>pulsar</artifactId>
@@ -155,10 +143,13 @@
       <artifactId>simpleclient</artifactId>
       <version>${simpleclient_common.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-server</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-servlet</artifactId>
-      <version>${jetty-server.version}</version>
     </dependency>
     <dependency>
       <groupId>com.squareup.okio</groupId>
diff --git a/pom.xml b/pom.xml
index b9b805b01d..ec7f86ac80 100644
--- a/pom.xml
+++ b/pom.xml
@@ -203,6 +203,7 @@
     <jline.version>3.24.1</jline.version>
     <wildfly.version>1.7.0.Final</wildfly.version>
     <jettison.version>1.5.4</jettison.version>
+    <eclipse.jetty.version>9.4.54.v20240208</eclipse.jetty.version>
   </properties>
 
   <profiles>
@@ -972,6 +973,45 @@
         <artifactId>jettison</artifactId>
         <version>${jettison.version}</version>
       </dependency>
+
+      <!-- Consolidate eclipse jetty dependencies for hadoop/spark/pulsar -->
+      <dependency>
+        <groupId>org.eclipse.jetty.websocket</groupId>
+        <artifactId>websocket-client</artifactId>
+        <version>${eclipse.jetty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.eclipse.jetty</groupId>
+        <artifactId>jetty-server</artifactId>
+        <version>${eclipse.jetty.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+          </exclusion>
+        </exclusions>
+      </dependency>
+      <dependency>
+        <groupId>org.eclipse.jetty</groupId>
+        <artifactId>jetty-servlet</artifactId>
+        <version>${eclipse.jetty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.eclipse.jetty</groupId>
+        <artifactId>jetty-util</artifactId>
+        <version>${eclipse.jetty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.eclipse.jetty</groupId>
+        <artifactId>jetty-util-ajax</artifactId>
+        <version>${eclipse.jetty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.eclipse.jetty</groupId>
+        <artifactId>jetty-webapp</artifactId>
+        <version>${eclipse.jetty.version}</version>
+      </dependency>
+
       <!-- Upgrade hadoop-common dependency from hadoop-shaded-protobuf_3_7 to 
hadoop-shaded-protobuf_3_21 -->
       <dependency>
         <groupId>org.apache.hadoop.thirdparty</groupId>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to