This is an automated email from the ASF dual-hosted git repository. wusheng pushed a commit to branch cve in repository https://gitbox.apache.org/repos/asf/skywalking.git
commit 0d4044dbda4acfb5e143a0f24ad5e1794373a98a Author: Wu Sheng <[email protected]> AuthorDate: Fri Nov 11 14:46:08 2022 +0800 Bump up Kafka client to 2.8.1 to fix CVE-2021-38153. --- dist-material/release-docs/LICENSE | 22 +++++++++++----------- docs/en/changes/changes.md | 3 ++- oap-server-bom/pom.xml | 2 +- 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE index 6bb498a288..445941f2c1 100755 --- a/dist-material/release-docs/LICENSE +++ b/dist-material/release-docs/LICENSE @@ -355,6 +355,7 @@ The text of each license is the standard Apache 2.0 license. https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.13 Apache-2.0 https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.13 Apache-2.0 https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore-nio/4.4.13 Apache-2.0 + https://mvnrepository.com/artifact/org.apache.kafka/kafka-clients/2.8.1 Apache-2.0 https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api/2.17.1 Apache-2.0 https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.17.1 Apache-2.0 https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-slf4j-impl/2.17.1 Apache-2.0 @@ -378,30 +379,21 @@ The text of each license is the standard Apache 2.0 license. https://mvnrepository.com/artifact/org.jetbrains.kotlinx/kotlinx-coroutines-jdk8/1.6.4 Apache-2.0 https://mvnrepository.com/artifact/org.jetbrains.kotlinx/kotlinx-coroutines-reactive/1.6.4 Apache-2.0 https://mvnrepository.com/artifact/org.jetbrains/annotations/13.0 Apache-2.0 - https://mvnrepository.com/artifact/org.lz4/lz4-java/1.6.0 Apache-2.0 + https://mvnrepository.com/artifact/org.lz4/lz4-java/1.7.1 Apache-2.0 https://mvnrepository.com/artifact/org.mvel/mvel2/2.4.8.Final Apache-2.0 https://mvnrepository.com/artifact/org.slf4j/jcl-over-slf4j/1.7.30 Apache-2.0 https://mvnrepository.com/artifact/org.slf4j/log4j-over-slf4j/1.7.30 Apache-2.0 https://mvnrepository.com/artifact/org.slf4j/slf4j-api/1.7.30 Apache-2.0 - https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java/1.1.7.3 Apache-2.0 + https://mvnrepository.com/artifact/org.xerial.snappy/snappy-java/1.1.8.1 Apache-2.0 https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.33 Apache-2.0 https://npmjs.com/package/typescript/v/4.4.4 4.4.4 Apache-2.0 -======================================================================== -Apache-2.0 and CDDL-1.1 and BSD-3-Clause and BSD-2-Clause licenses -======================================================================== -The following components are provided under the Apache-2.0 and CDDL-1.1 and BSD-3-Clause and BSD-2-Clause License. See project link for details. -The text of each license is also included in licenses/LICENSE-[project].txt. - - https://mvnrepository.com/artifact/org.apache.kafka/kafka-clients/2.4.1 Apache-2.0 and CDDL-1.1 and BSD-3-Clause and BSD-2-Clause - ======================================================================== BSD-2-Clause licenses ======================================================================== The following components are provided under the BSD-2-Clause License. See project link for details. The text of each license is also included in licenses/LICENSE-[project].txt. - https://mvnrepository.com/artifact/com.github.luben/zstd-jni/1.4.3-1 BSD-2-Clause https://mvnrepository.com/artifact/org.postgresql/postgresql/42.4.1 BSD-2-Clause ======================================================================== @@ -629,6 +621,14 @@ The text of each license is also included in licenses/LICENSE-[project].txt. https://mvnrepository.com/artifact/com.google.re2j/re2j/1.5 https://golang.org/LICENSE +======================================================================== +https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License licenses +======================================================================== +The following components are provided under the https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License License. See project link for details. +The text of each license is also included in licenses/LICENSE-[project].txt. + + https://mvnrepository.com/artifact/com.github.luben/zstd-jni/1.4.9-1 https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License + ======================================================================== https://spdx.org/licenses/MIT-0.html licenses ======================================================================== diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md index 7fea9928d8..606121aca5 100644 --- a/docs/en/changes/changes.md +++ b/docs/en/changes/changes.md @@ -105,7 +105,8 @@ * Support span attached event concept in Zipkin and SkyWalking trace query. * Support span attached events on Zipkin lens UI. * Force UTF-8 encoding in `JsonLogHandler` of `kafka-fetcher-plugin`. -* Fix max length to 512 of entity, instance and endpoint IDs in trace, log, profiling, topN tables(JDBC storages). The value was 200 by default. +* Fix max length to 512 of entity, instance and endpoint IDs in trace, log, profiling, topN tables(JDBC storages). The value was 200 by default. +* Bump up Kafka client to 2.8.1 to fix CVE-2021-38153. #### UI diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml index 67334bcfc5..1d30803b04 100644 --- a/oap-server-bom/pom.xml +++ b/oap-server-bom/pom.xml @@ -74,7 +74,7 @@ <httpcore.version>4.4.13</httpcore.version> <commons-compress.version>1.21</commons-compress.version> <banyandb-java-client.version>0.2.0</banyandb-java-client.version> - <kafka-clients.version>2.4.1</kafka-clients.version> + <kafka-clients.version>2.8.1</kafka-clients.version> <spring-kafka-test.version>2.4.6.RELEASE</spring-kafka-test.version> </properties>
