This is an automated email from the ASF dual-hosted git repository.

eolivelli pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-2.9 by this push:
     new 47d91a1  [Security] Upgrade OkHttp3 to address CVE-2021-0341 (#13065)
47d91a1 is described below

commit 47d91a18662e0902cd0216948f054b2780505472
Author: Nicolò Boschi <[email protected]>
AuthorDate: Thu Dec 9 08:43:22 2021 +0100

    [Security] Upgrade OkHttp3 to address CVE-2021-0341 (#13065)
    
    * Upgrade OkHttp3 from 3.14.9 to 4.9.3
    * Upgrade Okio to the same version of OkHttp3 4.9.3
    * Override Okio transitive dependency - Kotlin stdlib - to 1.4.32 in order 
to address CVE-2020-29582
    
    (cherry picked from commit d24faac38bc8babd1167d9ae684a6273b65930d8)
---
 distribution/server/src/assemble/LICENSE.bin.txt | 14 ++++++++----
 pom.xml                                          | 29 ++++++++++++++++++++++--
 pulsar-sql/pom.xml                               | 29 ++++++++++++++++++++++++
 3 files changed, 66 insertions(+), 6 deletions(-)

diff --git a/distribution/server/src/assemble/LICENSE.bin.txt 
b/distribution/server/src/assemble/LICENSE.bin.txt
index 3ce4e42..51c7242 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -446,12 +446,18 @@ The Apache Software License, Version 2.0
  * SnakeYaml -- org.yaml-snakeyaml-1.27.jar
  * RocksDB - org.rocksdb-rocksdbjni-6.10.2.jar
  * Google Error Prone Annotations - 
com.google.errorprone-error_prone_annotations-2.5.1.jar
- * Apache Thrifth - org.apache.thrift-libthrift-0.14.2.jar
+ * Apache Thrift - org.apache.thrift-libthrift-0.14.2.jar
  * OkHttp3
-     - com.squareup.okhttp3-logging-interceptor-3.14.9.jar
-     - com.squareup.okhttp3-okhttp-3.14.9.jar
- * Okio - com.squareup.okio-okio-1.17.2.jar
+     - com.squareup.okhttp3-logging-interceptor-4.9.3.jar
+     - com.squareup.okhttp3-okhttp-4.9.3.jar
+ * Okio - com.squareup.okio-okio-2.8.0.jar
  * Javassist -- org.javassist-javassist-3.25.0-GA.jar
+ * Kotlin Standard Lib
+     - org.jetbrains.kotlin-kotlin-stdlib-1.4.32.jar
+     - org.jetbrains.kotlin-kotlin-stdlib-common-1.4.32.jar
+     - org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.4.32.jar
+     - org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.4.32.jar
+     - org.jetbrains-annotations-13.0.jar
  * gRPC
     - io.grpc-grpc-all-1.33.0.jar
     - io.grpc-grpc-auth-1.33.0.jar
diff --git a/pom.xml b/pom.xml
index c038be3..9824d9d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -192,9 +192,11 @@ flexible messaging model and an intuitive client 
API.</description>
     <jakarta.validation.version>2.0.2</jakarta.validation.version>
     <jna.version>4.2.0</jna.version>
     <kubernetesclient.version>12.0.1</kubernetesclient.version>
-    <okhttp3.version>3.14.9</okhttp3.version>
+    <okhttp3.version>4.9.3</okhttp3.version>
     <!-- use okio version that matches the okhttp3 version -->
-    <okio.version>1.17.2</okio.version>
+    <okio.version>2.8.0</okio.version>
+    <!-- override kotlin-stdlib used by okio in order to address 
CVE-2020-29582 -->
+    <kotlin-stdlib.version>1.4.32</kotlin-stdlib.version>
     <nsq-client.version>1.0</nsq-client.version>
     <cron-utils.version>9.1.3</cron-utils.version>
     <spring-context.version>5.3.1</spring-context.version>
@@ -1187,11 +1189,34 @@ flexible messaging model and an intuitive client 
API.</description>
         <version>${okhttp3.version}</version>
       </dependency>
       <dependency>
+        <groupId>com.squareup.okhttp3</groupId>
+        <artifactId>logging-interceptor</artifactId>
+        <version>${okhttp3.version}</version>
+      </dependency>
+      <dependency>
         <groupId>com.squareup.okio</groupId>
         <artifactId>okio</artifactId>
         <version>${okio.version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>org.jetbrains.kotlin</groupId>
+        <artifactId>kotlin-stdlib</artifactId>
+        <version>${kotlin-stdlib.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.jetbrains.kotlin</groupId>
+        <artifactId>kotlin-stdlib-common</artifactId>
+        <version>${kotlin-stdlib.version}</version>
+      </dependency>
+
+      <dependency>
+        <groupId>org.jetbrains.kotlin</groupId>
+        <artifactId>kotlin-stdlib-jdk8</artifactId>
+        <version>${kotlin-stdlib.version}</version>
+      </dependency>
+
+
     </dependencies>
   </dependencyManagement>
 
diff --git a/pulsar-sql/pom.xml b/pulsar-sql/pom.xml
index aa59a6a..0336b16 100644
--- a/pulsar-sql/pom.xml
+++ b/pulsar-sql/pom.xml
@@ -37,6 +37,13 @@
         <module>presto-distribution</module>
     </modules>
 
+    <properties>
+        <!-- keep using okhttp3 3.x for Presto -->
+        <okhttp3.version>3.14.9</okhttp3.version>
+        <!-- use okio version that matches the okhttp3 version -->
+        <okio.version>1.17.2</okio.version>
+    </properties>
+
     <dependencyManagement>
         <dependencies>
             <dependency>
@@ -104,6 +111,28 @@
                 <artifactId>jackson-datatype-jsr310</artifactId>
                 <version>${jackson.version}</version>
             </dependency>
+
+            <!-- keep using okhttp3 3.x for Presto -->
+            <dependency>
+                <groupId>com.squareup.okhttp3</groupId>
+                <artifactId>okhttp</artifactId>
+                <version>${okhttp3.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.squareup.okhttp3</groupId>
+                <artifactId>okhttp-urlconnection</artifactId>
+                <version>${okhttp3.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.squareup.okhttp3</groupId>
+                <artifactId>logging-interceptor</artifactId>
+                <version>${okhttp3.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.squareup.okio</groupId>
+                <artifactId>okio</artifactId>
+                <version>${okio.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 

Reply via email to