wu-sheng opened a new pull request, #13920:
URL: https://github.com/apache/skywalking/pull/13920

   ### Fix CVE-2021-0341 carried by the abandoned 
`com.orbitz.consul:consul-client`
   
   - [x] Add a unit test to verify that the fix works.
   - [x] Explain briefly why the bug exists and how to fix it.
   
   Migrate the Consul cluster and configuration plugins from the abandoned 
`com.orbitz.consul:consul-client` `1.5.3` to the maintained fork 
`org.kiwiproject:consul-client` `0.9.0`.
   
   **Why:** the old `com.orbitz.consul` client is abandoned and pins okhttp 
`3.14.9`, which carries **CVE-2021-0341** (improper hostname verification, 
fixed in okhttp `4.9.2`).
   
   **How:**
   - Switch both plugins to the maintained fork 
`org.kiwiproject:consul-client`. It is a drop-in package rename 
(`com.orbitz.consul` → `org.kiwiproject.consul`); the plugins use only stable 
Consul APIs, so there are no logic changes (existing UTs/ITs cover the 
behavior).
   - Pin to `0.9.0` specifically: it is the newest fork release still compiled 
to **JDK 11** bytecode (class major 55). Releases `1.0.0+` are Java-17 bytecode 
(major 61) and would break SkyWalking's JDK 11 support 
(`maven.compiler.release=11`; CI builds on JDK 11).
   - Bump okhttp `3.14.9` → `4.12.0` in the BOM (clears CVE-2021-0341; 
Java-8/11 safe). okhttp is pulled **only** by the Consul plugins — the fabric8 
Kubernetes client excludes its okhttp transport — so no other module is 
affected.
   - Pin `jackson-datatype-jdk8` / `jackson-datatype-guava` to the managed 
jackson `2.18.6` so the fork cannot drag in an off-version (it declares 
`2.15.2`).
   - Integration tests stay on `consul:0.9` (unchanged from master). 
Regenerated `dist-material/release-docs/LICENSE` and added `.licenserc.yaml` 
mappings for the changed dependencies.
   
   Verified locally: full `-Pall` build, unit tests, cluster IT (5/5) and 
configuration IT (2/2) all pass; checkstyle clean; license headers valid; 
`license-eye dependency resolve` produces a clean LICENSE.
   
   - [ ] If this pull request closes/resolves/fixes an existing issue, replace 
the issue number. Closes #<issue number>.
   - [x] Update the [`CHANGES` 
log](https://github.com/apache/skywalking/blob/master/docs/en/changes/changes.md).
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to