nicoloboschi opened a new pull request #13065: URL: https://github.com/apache/pulsar/pull/13065
### Motivation Current OkHttp3 version - 3.14.9 - has an open CVE (https://nvd.nist.gov/vuln/detail/CVE-2021-0341) with a score of 7.5. OkHttp3 is used by Java Kubernetes Client (currently only used by Pulsar Function Worker in "kubernetes" mode) I upgraded to the latest stable release (4.9.3) where a fix for the CVE has been [committed](https://github.com/square/okhttp/pull/6741). The OkHttp3 team [claims](https://square.github.io/okhttp/upgrading_to_okhttp_4/) that 3.x and 4.x are fully compatibles (at least the java library) > OkHttp 4.x is both binary- and Java source-compatible with OkHttp 3.x. You can use an OkHttp 4.x .jar file with applications or libraries built for OkHttp 3.x. Upgrading OkHttp3 and Okio, there is a new transitive dependency - Kotlin Standard Lib (licensed under Apache 2.0) ``` io.kubernetes:client-java:jar:12.0.1:compile [INFO] | | +- io.kubernetes:client-java-api:jar:12.0.1:compile [INFO] | | | +- com.squareup.okhttp3:okhttp:jar:4.9.3:compile [INFO] | | | | +- com.squareup.okio:okio:jar:2.8.0:compile [INFO] | | | | | \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.4.32:compile [INFO] | | | | \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.4.32:compile [INFO] | | | | \- org.jetbrains:annotations:jar:13.0:compile [INFO] | | | +- com.squareup.okhttp3:logging-interceptor:jar:4.9.3:compile [INFO] | | | | \- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.4.32:compile [INFO] | | | | \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.4.32:compile ``` Unfortunately, the `kotlin-stdlib` version used by Okio and OkHttp3 has, in turn, a CVE open (https://nvd.nist.gov/vuln/detail/CVE-2020-29582); in order to not introduce another vulnerability, I've overridden the version with latest stable one (1.4.32) ### Modifications * Upgrade OkHttp3 from 3.14.9 to 4.9.3 * Upgrade Okio to the same version of OkHttp3 4.9.3 * Override Okio transitive dependency - Kotlin stdlib - to 1.4.32 in order to address CVE-2020-29582 ### Verifying this change The change must be verified deploying and testing a Pulsar Function with `runtime` set to `kubernetes`. (I already performed this kind of test) ### Does this pull request potentially affect one of the following parts: *If `yes` was chosen, please highlight the changes* - Dependencies (does it add or upgrade a dependency): (yes) - The public API: (no) - The schema: (no) - The default values of configurations: (no) - The wire protocol: (no) - The rest endpoints: (no) - The admin cli options: (no) - Anything that affects deployment: (no) ### Documentation - [x] `no-need-doc` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
