[skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)

hanahmily Mon, 02 Aug 2021 21:38:25 -0700

This is an automated email from the ASF dual-hosted git repository.

hanahmily pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git



The following commit(s) were added to refs/heads/master by this push:
     new 651f7f1  Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, 
CVE-2021-36090 (#7400)
651f7f1 is described below

commit 651f7f16ca22e8ad3238a1a5b5e49335849dc4ac
Author: 吴晟 Wu Sheng <[email protected]>
AuthorDate: Tue Aug 3 12:38:08 2021 +0800

    Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)
---
 CHANGES.md                                            |  5 +++++
 dist-material/release-docs/LICENSE                    | 15 ++++++++-------
 oap-server-bom/pom.xml                                |  2 +-
 .../known-oap-backend-dependencies-es7.txt            | 19 ++++++++++---------
 tools/dependencies/known-oap-backend-dependencies.txt | 19 ++++++++++---------
 5 files changed, 34 insertions(+), 26 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index f5f4bed..2dd50bd 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -8,10 +8,15 @@ Release Notes.
 #### Project
 
 #### Java Agent
+
 * Support Multiple DNS period resolving mechanism
 
 #### OAP-Backend
 
+* Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090. Upgrade 
org.apache.commons:commons-compress to
+  1.21.
+* kubernetes java client upgrade from 12.0.1 to 13.0.0
+
 #### UI
 
 #### Documentation
diff --git a/dist-material/release-docs/LICENSE 
b/dist-material/release-docs/LICENSE
index e049a27..97c7696 100755
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -270,7 +270,7 @@ The text of each license is the standard Apache 2.0 license.
     Apache: commons-collections 3.2.2: 
https://github.com/apache/commons-collections, Apache 2.0
     Apache: commons-configuration 1.8: 
https://github.com/apache/commons-configuration, Apache 2.0
     Apache: commons-io 2.4: https://github.com/apache/commons-io, Apache 2.0
-    Apache: commons-compress 1.20: https://github.com/apache/commons-compress, 
Apache 2.0
+    Apache: commons-compress 1.21: https://github.com/apache/commons-compress, 
Apache 2.0
     Apache: commons-collections4 4.4: 
https://mvnrepository.com/artifact/org.apache.commons/commons-collections4, 
Apache 2.0
     Apache: freemarker 2.3.28: https://github.com/apache/freemarker, Apache 2.0
     netty 4.1.65: https://github.com/netty/netty/blob/4.1/LICENSE.txt, Apache 
2.0
@@ -306,7 +306,7 @@ The text of each license is the standard Apache 2.0 license.
     HikariCP 3.1.0: https://github.com/brettwooldridge/HikariCP, Apache 2.0
     zipkin 2.9.1: https://github.com/openzipkin/zipkin, Apache 2.0
     sharding-jdbc-core 2.0.3: 
https://github.com/sharding-sphere/sharding-sphere, Apache 2.0
-    kubernetes-client 12.0.1: https://github.com/kubernetes-client/java, 
Apache 2.0
+    kubernetes-client 13.0.0: https://github.com/kubernetes-client/java, 
Apache 2.0
     proto files from istio/istio: https://github.com/istio/istio  Apache 2.0
     proto files from istio/api: https://github.com/istio/api      Apache 2.0
     nacos 1.4.2: https://github.com/alibaba/nacos, Apache 2.0
@@ -330,7 +330,7 @@ The text of each license is the standard Apache 2.0 license.
     logging-interceptor 3.13.1: 
https://github.com/square/okhttp/tree/master/okhttp-logging-interceptor, Apache 
2.0
     msgpack-core 0.8.16: https://github.com/msgpack/msgpack-java, Apache 2.0
     swagger-annotations 1.6.2: 
https://mvnrepository.com/artifact/io.swagger.core.v3/swagger-annotations, 
Apache 2.0
-    jose4j 0.7.6: https://mvnrepository.com/artifact/org.bitbucket.b_c/jose4j, 
Apache 2.0
+    jose4j 0.7.8: https://mvnrepository.com/artifact/org.bitbucket.b_c/jose4j, 
Apache 2.0
     converter-moshi 2.5.0: 
https://mvnrepository.com/artifact/com.squareup.retrofit2/converter-moshi, 
Apache 2.0
     vavr 0.10.3: https://github.com/vavr-io/vavr, Apache 2.0
     kafka-clients 2.4.1: https://github.com/apache/kafka, Apache 2.0
@@ -340,7 +340,7 @@ The text of each license is the standard Apache 2.0 license.
     mvel 2.4.8: https://github.com/mvel/mvel, Apache 2.0
     okio 1.17.2: https://github.com/square/okio Apache 2.0
     caffeine 2.6.2: https://github.com/ben-manes/caffeine Apache 2.0
-    simpleclient_httpserver from prometheus 
https://github.com/prometheus/client_java Apache 2.0
+    simpleclient_httpserver 0.11 from prometheus 
https://github.com/prometheus/client_java Apache 2.0
     jetcd 0.5.3, https://github.com/etcd-io/jetcd, Apache 2.0
     failasfe 2.3.4, https://github.com/jhalterman/failsafe, Apache 2.0
 
@@ -356,9 +356,10 @@ The text of each license is also included at 
licenses/LICENSE-[project].txt.
     GraphQL java 8.0: https://github.com/graphql-java/graphql-java , MIT
     GraphQL Java Tools 5.2.3: 
https://github.com/graphql-java/graphql-java-tools , MIT
     jopt-simple 5.0.2: https://github.com/jopt-simple/jopt-simple , MIT
-    bcpkix-jdk15on 1.68: http://www.bouncycastle.org/licence.html , MIT
-    bcprov-jdk15on 1.68: http://www.bouncycastle.org/licence.html , MIT
-    bcprov-ext-jdk15on 1.68: http://www.bouncycastle.org/licence.html , MIT
+    bcpkix-jdk15on 1.69: http://www.bouncycastle.org/licence.html , MIT
+    bcprov-jdk15on 1.69: http://www.bouncycastle.org/licence.html , MIT
+    bcprov-ext-jdk15on 1.69: http://www.bouncycastle.org/licence.html , MIT
+    bcutil-ext-jdk15on 1.69: http://www.bouncycastle.org/licence.html , MIT
     minimal-json 0.9.5:  https://github.com/ralfstx/minimal-json, MIT
     checker-qual 2.8.1: https://github.com/typetools/checker-framework, MIT
     influxdb-java 2.15: https://github.com/influxdata/influxdb-java, MIT
diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml
index 2d3bd1a..5b4e179 100644
--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -47,7 +47,7 @@
         
<netty-tcnative-boringssl-static.version>2.0.39.Final</netty-tcnative-boringssl-static.version>
         <jetty.version>9.4.40.v20210413</jetty.version>
         <commons-io.version>2.6</commons-io.version>
-        <kubernetes.version>12.0.1</kubernetes.version>
+        <kubernetes.version>13.0.0</kubernetes.version>
         <hikaricp.version>3.1.0</hikaricp.version>
         <zipkin.version>2.9.1</zipkin.version>
         <jackson-core.version>2.12.2</jackson-core.version>
diff --git a/tools/dependencies/known-oap-backend-dependencies-es7.txt 
b/tools/dependencies/known-oap-backend-dependencies-es7.txt
index 8f2c7b6..d6a3530 100755
--- a/tools/dependencies/known-oap-backend-dependencies-es7.txt
+++ b/tools/dependencies/known-oap-backend-dependencies-es7.txt
@@ -8,17 +8,18 @@ aopalliance-1.0.jar
 apollo-client-1.8.0.jar
 apollo-core-1.8.0.jar
 audience-annotations-0.5.0.jar
-bcpkix-jdk15on-1.68.jar
-bcprov-ext-jdk15on-1.68.jar
-bcprov-jdk15on-1.68.jar
+bcpkix-jdk15on-1.69.jar
+bcprov-ext-jdk15on-1.69.jar
+bcprov-jdk15on-1.69.jar
+bcutil-jdk15on-1.69.jar
 checker-qual-2.8.1.jar
-client-java-12.0.1.jar
-client-java-api-12.0.1.jar
-client-java-proto-12.0.1.jar
+client-java-13.0.0.jar
+client-java-api-13.0.0.jar
+client-java-proto-13.0.0.jar
 commons-beanutils-1.9.4.jar
 commons-codec-1.11.jar
 commons-collections4-4.4.jar
-commons-compress-1.20.jar
+commons-compress-1.21.jar
 commons-dbcp-1.4.jar
 commons-io-2.6.jar
 commons-lang3-3.12.0.jar
@@ -95,7 +96,7 @@ jetty-util-ajax-9.4.40.v20210413.jar
 jna-5.5.0.jar
 joda-time-2.10.5.jar
 jopt-simple-4.6.jar
-jose4j-0.7.6.jar
+jose4j-0.7.8.jar
 jsr305-3.0.2.jar
 kafka-clients-2.4.1.jar
 kotlin-reflect-1.1.1.jar
@@ -158,7 +159,7 @@ s2-geometry-library-java-1.0.0.jar
 simpleclient-0.6.0.jar
 simpleclient_common-0.6.0.jar
 simpleclient_hotspot-0.6.0.jar
-simpleclient_httpserver-0.10.0.jar
+simpleclient_httpserver-0.11.0.jar
 slf4j-api-1.7.30.jar
 snakeyaml-1.28.jar
 snappy-java-1.1.7.3.jar
diff --git a/tools/dependencies/known-oap-backend-dependencies.txt 
b/tools/dependencies/known-oap-backend-dependencies.txt
index 9dcd63e..682bad1 100755
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -8,17 +8,18 @@ aopalliance-1.0.jar
 apollo-client-1.8.0.jar
 apollo-core-1.8.0.jar
 audience-annotations-0.5.0.jar
-bcpkix-jdk15on-1.68.jar
-bcprov-ext-jdk15on-1.68.jar
-bcprov-jdk15on-1.68.jar
+bcpkix-jdk15on-1.69.jar
+bcprov-ext-jdk15on-1.69.jar
+bcprov-jdk15on-1.69.jar
+bcutil-jdk15on-1.69.jar
 checker-qual-2.8.1.jar
-client-java-12.0.1.jar
-client-java-api-12.0.1.jar
-client-java-proto-12.0.1.jar
+client-java-13.0.0.jar
+client-java-api-13.0.0.jar
+client-java-proto-13.0.0.jar
 commons-beanutils-1.9.4.jar
 commons-codec-1.11.jar
 commons-collections4-4.4.jar
-commons-compress-1.20.jar
+commons-compress-1.21.jar
 commons-dbcp-1.4.jar
 commons-io-2.6.jar
 commons-lang3-3.12.0.jar
@@ -93,7 +94,7 @@ jetty-util-ajax-9.4.40.v20210413.jar
 jna-4.5.1.jar
 joda-time-2.10.5.jar
 jopt-simple-4.6.jar
-jose4j-0.7.6.jar
+jose4j-0.7.8.jar
 jsr305-3.0.2.jar
 kafka-clients-2.4.1.jar
 kotlin-reflect-1.1.1.jar
@@ -154,7 +155,7 @@ retrofit-2.5.0.jar
 simpleclient-0.6.0.jar
 simpleclient_common-0.6.0.jar
 simpleclient_hotspot-0.6.0.jar
-simpleclient_httpserver-0.10.0.jar
+simpleclient_httpserver-0.11.0.jar
 slf4j-api-1.7.30.jar
 snakeyaml-1.28.jar
 snappy-java-1.1.7.3.jar

[skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)

Reply via email to