This is an automated email from the ASF dual-hosted git repository.
eolivelli pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-2.9 by this push:
new 47d91a1 [Security] Upgrade OkHttp3 to address CVE-2021-0341 (#13065)
47d91a1 is described below
commit 47d91a18662e0902cd0216948f054b2780505472
Author: Nicolò Boschi <[email protected]>
AuthorDate: Thu Dec 9 08:43:22 2021 +0100
[Security] Upgrade OkHttp3 to address CVE-2021-0341 (#13065)
* Upgrade OkHttp3 from 3.14.9 to 4.9.3
* Upgrade Okio to the same version of OkHttp3 4.9.3
* Override Okio transitive dependency - Kotlin stdlib - to 1.4.32 in order
to address CVE-2020-29582
(cherry picked from commit d24faac38bc8babd1167d9ae684a6273b65930d8)
---
distribution/server/src/assemble/LICENSE.bin.txt | 14 ++++++++----
pom.xml | 29 ++++++++++++++++++++++--
pulsar-sql/pom.xml | 29 ++++++++++++++++++++++++
3 files changed, 66 insertions(+), 6 deletions(-)
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt
b/distribution/server/src/assemble/LICENSE.bin.txt
index 3ce4e42..51c7242 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -446,12 +446,18 @@ The Apache Software License, Version 2.0
* SnakeYaml -- org.yaml-snakeyaml-1.27.jar
* RocksDB - org.rocksdb-rocksdbjni-6.10.2.jar
* Google Error Prone Annotations -
com.google.errorprone-error_prone_annotations-2.5.1.jar
- * Apache Thrifth - org.apache.thrift-libthrift-0.14.2.jar
+ * Apache Thrift - org.apache.thrift-libthrift-0.14.2.jar
* OkHttp3
- - com.squareup.okhttp3-logging-interceptor-3.14.9.jar
- - com.squareup.okhttp3-okhttp-3.14.9.jar
- * Okio - com.squareup.okio-okio-1.17.2.jar
+ - com.squareup.okhttp3-logging-interceptor-4.9.3.jar
+ - com.squareup.okhttp3-okhttp-4.9.3.jar
+ * Okio - com.squareup.okio-okio-2.8.0.jar
* Javassist -- org.javassist-javassist-3.25.0-GA.jar
+ * Kotlin Standard Lib
+ - org.jetbrains.kotlin-kotlin-stdlib-1.4.32.jar
+ - org.jetbrains.kotlin-kotlin-stdlib-common-1.4.32.jar
+ - org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.4.32.jar
+ - org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.4.32.jar
+ - org.jetbrains-annotations-13.0.jar
* gRPC
- io.grpc-grpc-all-1.33.0.jar
- io.grpc-grpc-auth-1.33.0.jar
diff --git a/pom.xml b/pom.xml
index c038be3..9824d9d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -192,9 +192,11 @@ flexible messaging model and an intuitive client
API.</description>
<jakarta.validation.version>2.0.2</jakarta.validation.version>
<jna.version>4.2.0</jna.version>
<kubernetesclient.version>12.0.1</kubernetesclient.version>
- <okhttp3.version>3.14.9</okhttp3.version>
+ <okhttp3.version>4.9.3</okhttp3.version>
<!-- use okio version that matches the okhttp3 version -->
- <okio.version>1.17.2</okio.version>
+ <okio.version>2.8.0</okio.version>
+ <!-- override kotlin-stdlib used by okio in order to address
CVE-2020-29582 -->
+ <kotlin-stdlib.version>1.4.32</kotlin-stdlib.version>
<nsq-client.version>1.0</nsq-client.version>
<cron-utils.version>9.1.3</cron-utils.version>
<spring-context.version>5.3.1</spring-context.version>
@@ -1187,11 +1189,34 @@ flexible messaging model and an intuitive client
API.</description>
<version>${okhttp3.version}</version>
</dependency>
<dependency>
+ <groupId>com.squareup.okhttp3</groupId>
+ <artifactId>logging-interceptor</artifactId>
+ <version>${okhttp3.version}</version>
+ </dependency>
+ <dependency>
<groupId>com.squareup.okio</groupId>
<artifactId>okio</artifactId>
<version>${okio.version}</version>
</dependency>
+ <dependency>
+ <groupId>org.jetbrains.kotlin</groupId>
+ <artifactId>kotlin-stdlib</artifactId>
+ <version>${kotlin-stdlib.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.jetbrains.kotlin</groupId>
+ <artifactId>kotlin-stdlib-common</artifactId>
+ <version>${kotlin-stdlib.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.jetbrains.kotlin</groupId>
+ <artifactId>kotlin-stdlib-jdk8</artifactId>
+ <version>${kotlin-stdlib.version}</version>
+ </dependency>
+
+
</dependencies>
</dependencyManagement>
diff --git a/pulsar-sql/pom.xml b/pulsar-sql/pom.xml
index aa59a6a..0336b16 100644
--- a/pulsar-sql/pom.xml
+++ b/pulsar-sql/pom.xml
@@ -37,6 +37,13 @@
<module>presto-distribution</module>
</modules>
+ <properties>
+ <!-- keep using okhttp3 3.x for Presto -->
+ <okhttp3.version>3.14.9</okhttp3.version>
+ <!-- use okio version that matches the okhttp3 version -->
+ <okio.version>1.17.2</okio.version>
+ </properties>
+
<dependencyManagement>
<dependencies>
<dependency>
@@ -104,6 +111,28 @@
<artifactId>jackson-datatype-jsr310</artifactId>
<version>${jackson.version}</version>
</dependency>
+
+ <!-- keep using okhttp3 3.x for Presto -->
+ <dependency>
+ <groupId>com.squareup.okhttp3</groupId>
+ <artifactId>okhttp</artifactId>
+ <version>${okhttp3.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.squareup.okhttp3</groupId>
+ <artifactId>okhttp-urlconnection</artifactId>
+ <version>${okhttp3.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.squareup.okhttp3</groupId>
+ <artifactId>logging-interceptor</artifactId>
+ <version>${okhttp3.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.squareup.okio</groupId>
+ <artifactId>okio</artifactId>
+ <version>${okio.version}</version>
+ </dependency>
</dependencies>
</dependencyManagement>
