Upgrade dependencies for security fixes (apache#5232)

* Upgrade dependencies for security fixes * Use guava 18 for jclouds-shaded * Fix the guava version for HDFS tiered storage component * Rollback guava to 25.1 since there are API breaking changes * Rollback to Maven 3.0.5 which has the fix for sec issue * Fixed Jetty SslContextFactory creation * Roll back to 9.4.20.v20190813
ouyanghuangzheng · Oct 31, 2019 · 0076a1b · 0076a1b
1 parent a9b893f
commit 0076a1b
Show file tree

Hide file tree

Showing 11 changed files with 138 additions and 64 deletions.
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -325,7 +325,9 @@ The Apache Software License, Version 2.0
  * Caffeine -- com.github.ben-manes.caffeine-caffeine-2.6.2.jar
  * Proto Google Common Protos -- com.google.api.grpc-proto-google-common-protos-1.12.0.jar
  * Gson -- com.google.code.gson-gson-2.8.2.jar
- * Guava -- com.google.guava-guava-21.0.jar
+ * Guava
+    - com.google.guava-guava-25.1-jre.jar
+ * J2ObjC Annotations -- com.google.j2objc-j2objc-annotations-1.1.jar
  * Netty Reactive Streams -- com.typesafe.netty-netty-reactive-streams-2.0.0.jar
  * Swagger
     - io.swagger-swagger-annotations-1.5.21.jar
@@ -343,7 +345,7 @@ The Apache Software License, Version 2.0
     - commons-lang-commons-lang-2.6.jar
     - commons-logging-commons-logging-1.1.1.jar
     - org.apache.commons-commons-collections4-4.1.jar
-    - org.apache.commons-commons-compress-1.15.jar
+    - org.apache.commons-commons-compress-1.19.jar
     - org.apache.commons-commons-lang3-3.4.jar
  * Netty
     - io.netty-netty-buffer-4.1.43.Final.jar
@@ -411,29 +413,29 @@ The Apache Software License, Version 2.0
     - org.asynchttpclient-async-http-client-2.7.0.jar
     - org.asynchttpclient-async-http-client-netty-utils-2.7.0.jar
  * Jetty
-    - org.eclipse.jetty-jetty-client-9.4.12.v20180830.jar
-    - org.eclipse.jetty-jetty-continuation-9.4.12.v20180830.jar
-    - org.eclipse.jetty-jetty-http-9.4.12.v20180830.jar
-    - org.eclipse.jetty-jetty-io-9.4.12.v20180830.jar
-    - org.eclipse.jetty-jetty-proxy-9.4.12.v20180830.jar
-    - org.eclipse.jetty-jetty-security-9.4.12.v20180830.jar
-    - org.eclipse.jetty-jetty-server-9.4.12.v20180830.jar
-    - org.eclipse.jetty-jetty-servlet-9.4.12.v20180830.jar
-    - org.eclipse.jetty-jetty-servlets-9.4.12.v20180830.jar
-    - org.eclipse.jetty-jetty-util-9.4.12.v20180830.jar
-    - org.eclipse.jetty-jetty-xml-9.4.12.v20180830.jar
-    - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.12.v20180830.jar
-    - org.eclipse.jetty.websocket-websocket-api-9.4.12.v20180830.jar
-    - org.eclipse.jetty.websocket-websocket-client-9.4.12.v20180830.jar
-    - org.eclipse.jetty.websocket-websocket-common-9.4.12.v20180830.jar
-    - org.eclipse.jetty.websocket-websocket-server-9.4.12.v20180830.jar
-    - org.eclipse.jetty.websocket-websocket-servlet-9.4.12.v20180830.jar
+    - org.eclipse.jetty-jetty-client-9.4.20.v20190813.jar
+    - org.eclipse.jetty-jetty-continuation-9.4.20.v20190813.jar
+    - org.eclipse.jetty-jetty-http-9.4.20.v20190813.jar
+    - org.eclipse.jetty-jetty-io-9.4.20.v20190813.jar
+    - org.eclipse.jetty-jetty-proxy-9.4.20.v20190813.jar
+    - org.eclipse.jetty-jetty-security-9.4.20.v20190813.jar
+    - org.eclipse.jetty-jetty-server-9.4.20.v20190813.jar
+    - org.eclipse.jetty-jetty-servlet-9.4.20.v20190813.jar
+    - org.eclipse.jetty-jetty-servlets-9.4.20.v20190813.jar
+    - org.eclipse.jetty-jetty-util-9.4.20.v20190813.jar
+    - org.eclipse.jetty-jetty-xml-9.4.20.v20190813.jar
+    - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.20.v20190813.jar
+    - org.eclipse.jetty.websocket-websocket-api-9.4.20.v20190813.jar
+    - org.eclipse.jetty.websocket-websocket-client-9.4.20.v20190813.jar
+    - org.eclipse.jetty.websocket-websocket-common-9.4.20.v20190813.jar
+    - org.eclipse.jetty.websocket-websocket-server-9.4.20.v20190813.jar
+    - org.eclipse.jetty.websocket-websocket-servlet-9.4.20.v20190813.jar
  * SnakeYaml -- org.yaml-snakeyaml-1.23.jar
  * RocksDB - org.rocksdb-rocksdbjni-5.13.3.jar
  * HttpClient
     - org.apache.httpcomponents-httpclient-4.5.5.jar
     - org.apache.httpcomponents-httpcore-4.4.9.jar
- * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.2.0.jar
+ * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.1.3.jar
  * OkHttp - com.squareup.okhttp-okhttp-2.5.0.jar
  * Okio - com.squareup.okio-okio-1.13.0.jar
  * Javassist -- org.javassist-javassist-3.25.0-GA.jar
@@ -469,8 +471,6 @@ The Apache Software License, Version 2.0
     - org.inferred-freebuilder-1.14.9.jar
   * Snappy Java
     - org.xerial.snappy-snappy-java-1.1.1.3.jar
-  * Objenesis
-    - org.objenesis-objenesis-2.6.jar
   * Squareup
     - com.squareup.okhttp-logging-interceptor-2.7.5.jar
     - com.squareup.okhttp-okhttp-ws-2.7.5.jar
@@ -518,9 +518,10 @@ MIT License
     - org.slf4j-slf4j-api-1.7.25.jar
     - org.slf4j-jcl-over-slf4j-1.7.25.jar
  * Animal Sniffer Annotations
-    - org.codehaus.mojo-animal-sniffer-annotations-1.17.jar
+    - org.codehaus.mojo-animal-sniffer-annotations-1.14.jar
  * The Checker Framework
-    - org.checkerframework-checker-compat-qual-2.5.2.jar
+ 	- org.checkerframework-checker-compat-qual-2.5.2.jar
+    - org.checkerframework-checker-qual-2.0.0.jar
 
 Protocol Buffers License
  * Protocol Buffers

diff --git a/jclouds-shaded/pom.xml b/jclouds-shaded/pom.xml
@@ -45,6 +45,17 @@
     </dependency>
   </dependencies>
 
+  <dependencyManagement>
+    <dependencies>
+      <!-- JClouds still is using Guava 18.0 and it won't work with newer versions -->
+      <dependency>
+        <groupId>com.google.guava</groupId>
+        <artifactId>guava</artifactId>
+        <version>18.0</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <build>
     <plugins>
       <plugin>

diff --git a/pom.xml b/pom.xml
@@ -146,14 +146,14 @@ flexible messaging model and an intuitive client API.</description>
     <pulsar.protobuf.shaded.version>2.1.0-incubating</pulsar.protobuf.shaded.version>
 
     <!-- apache commons -->
-    <commons-compress.version>1.15</commons-compress.version>
+    <commons-compress.version>1.19</commons-compress.version>
 
     <bookkeeper.version>4.9.2</bookkeeper.version>
     <zookeeper.version>3.4.13</zookeeper.version>
     <netty.version>4.1.43.Final</netty.version>
     <netty-tc-native.version>2.0.26.Final</netty-tc-native.version>
     <storm.version>2.0.0</storm.version>
-    <jetty.version>9.4.12.v20180830</jetty.version>
+    <jetty.version>9.4.20.v20190813</jetty.version>
     <jersey.version>2.27</jersey.version>
     <athenz.version>1.8.17</athenz.version>
     <prometheus.version>0.5.0</prometheus.version>
@@ -201,7 +201,8 @@ flexible messaging model and an intuitive client API.</description>
     <zstd.version>1.3.7-3</zstd.version>
     <snappy.version>1.1.1.3</snappy.version>
     <hbase.version>1.4.9</hbase.version>
-
+    <guava.version>25.1-jre</guava.version>
+
     <!-- test dependencies -->
     <cassandra.version>3.6.0</cassandra.version>
     <disruptor.version>3.4.0</disruptor.version>
@@ -536,7 +537,7 @@ flexible messaging model and an intuitive client API.</description>
       <dependency>
         <groupId>com.google.guava</groupId>
         <artifactId>guava</artifactId>
-        <version>21.0</version>
+        <version>${guava.version}</version>
       </dependency>
 
       <dependency>

diff --git a/...unctions/runtime/src/main/java/org/apache/pulsar/functions/runtime/KubernetesRuntime.java b/...unctions/runtime/src/main/java/org/apache/pulsar/functions/runtime/KubernetesRuntime.java
@@ -23,6 +23,7 @@
 import com.google.common.util.concurrent.FutureCallback;
 import com.google.common.util.concurrent.Futures;
 import com.google.common.util.concurrent.ListenableFuture;
+import com.google.common.util.concurrent.MoreExecutors;
 import com.google.gson.Gson;
 import com.google.protobuf.Empty;
 import com.squareup.okhttp.Response;
@@ -329,7 +330,7 @@ public void onFailure(Throwable throwable) {
             public void onSuccess(FunctionStatus t) {
                 retval.complete(t);
             }
-        });
+        }, MoreExecutors.directExecutor());
         return retval;
     }
 
@@ -372,7 +373,7 @@ public void onFailure(Throwable throwable) {
             public void onSuccess(InstanceCommunication.MetricsData t) {
                 retval.complete(t);
             }
-        });
+        }, MoreExecutors.directExecutor());
         return retval;
     }
 

diff --git a/...r-functions/runtime/src/main/java/org/apache/pulsar/functions/runtime/ProcessRuntime.java b/...r-functions/runtime/src/main/java/org/apache/pulsar/functions/runtime/ProcessRuntime.java
@@ -22,6 +22,7 @@
 import com.google.common.util.concurrent.FutureCallback;
 import com.google.common.util.concurrent.Futures;
 import com.google.common.util.concurrent.ListenableFuture;
+import com.google.common.util.concurrent.MoreExecutors;
 import com.google.gson.Gson;
 import com.google.protobuf.Empty;
 import io.grpc.ManagedChannel;
@@ -237,7 +238,7 @@ public void onFailure(Throwable throwable) {
             public void onSuccess(InstanceCommunication.FunctionStatus t) {
                 retval.complete(t);
             }
-        });
+        }, MoreExecutors.directExecutor());
         return retval;
     }
 
@@ -259,7 +260,7 @@ public void onFailure(Throwable throwable) {
             public void onSuccess(InstanceCommunication.MetricsData t) {
                 retval.complete(t);
             }
-        });
+        }, MoreExecutors.directExecutor());
         return retval;
     }
 
@@ -281,7 +282,7 @@ public void onFailure(Throwable throwable) {
             public void onSuccess(Empty t) {
                 retval.complete(null);
             }
-        });
+        }, MoreExecutors.directExecutor());
         return retval;
     }
 
@@ -303,7 +304,7 @@ public void onFailure(Throwable throwable) {
             public void onSuccess(InstanceCommunication.MetricsData t) {
                 retval.complete(t);
             }
-        });
+        }, MoreExecutors.directExecutor());
         return retval;
     }
 
@@ -329,7 +330,7 @@ public void onFailure(Throwable throwable) {
             public void onSuccess(InstanceCommunication.HealthCheckResult t) {
                 retval.complete(t);
             }
-        });
+        }, MoreExecutors.directExecutor());
         return retval;
     }
 

diff --git a/pulsar-io/cassandra/src/main/java/org/apache/pulsar/io/cassandra/CassandraAbstractSink.java b/pulsar-io/cassandra/src/main/java/org/apache/pulsar/io/cassandra/CassandraAbstractSink.java
@@ -27,6 +27,7 @@
 import com.datastax.driver.core.Session;
 import com.google.common.util.concurrent.FutureCallback;
 import com.google.common.util.concurrent.Futures;
+import com.google.common.util.concurrent.MoreExecutors;
 
 import java.util.Map;
 
@@ -84,7 +85,7 @@ public void onSuccess(ResultSet result) {
                     public void onFailure(Throwable t) {
                         record.fail();
                     }
-                });
+                }, MoreExecutors.directExecutor());
     }
 
     private void createClient(String roots) {

diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java
@@ -232,7 +232,8 @@ protected HttpClient newHttpClient() {
                         );
                     }
 
-                    SslContextFactory contextFactory = new SslContextFactory();
+
+                    SslContextFactory contextFactory = new SslContextFactory.Client(true);
                     contextFactory.setSslContext(sslCtx);
 
                     return new JettyHttpClient(contextFactory);

diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
@@ -222,19 +222,18 @@ The Apache Software License, Version 2.0
     - jackson-mapper-asl-1.9.13.jar
     - jackson-dataformat-yaml-2.8.11.jar
  * Guava
-    - guava-21.0.jar
-    - guava-24.1-jre.jar
+    - guava-25.1-jre.jar
  * Google Guice
     - guice-4.2.0.jar
     - guice-multibindings-4.2.0.jar
  * Apache Commons
     - commons-math3-3.6.1.jar
     - commons-beanutils-core-1.8.3.jar
-    - commons-compress-1.15.jar
+    - commons-compress-1.19.jar
     - commons-lang3-3.3.2.jar
     - commons-lang3-3.4.jar
  * Netty
-    - netty-3.6.2.Final.jar
+    - netty-3.10.6.Final.jar
     - netty-all-4.1.32.Final.jar
     - netty-buffer-4.1.31.Final.jar
     - netty-codec-4.1.31.Final.jar
@@ -271,7 +270,7 @@ The Apache Software License, Version 2.0
     - jetty-servlet-9.4.11.v20180605.jar
     - jetty-util-9.4.11.v20180605.jar
   * Asynchronous Http Client
-    - async-http-client-1.6.5.jar
+    - async-http-client-1.9.40.jar
   * Apache BVal
     - bval-core-1.1.1.jar
     - bval-jsr-1.1.1.jar
@@ -329,17 +328,18 @@ The Apache Software License, Version 2.0
   * Lucene Common Analyzers
     - lucene-analyzers-common-7.2.1.jar
   * Maven
-    - maven-aether-provider-3.0.4.jar
-    - maven-artifact-3.0.4.jar
-    - maven-compat-3.0.4.jar
-    - maven-core-3.0.4.jar
-    - maven-embedder-3.0.4.jar
-    - maven-model-3.0.4.jar
-    - maven-model-builder-3.0.4.jar
-    - maven-plugin-api-3.0.4.jar
-    - maven-repository-metadata-3.0.4.jar
-    - maven-settings-3.0.4.jar
-    - maven-settings-builder-3.0.4.jar
+    - maven-aether-provider-3.0.5.jar
+    - maven-artifact-3.0.5.jar
+    - maven-core-3.0.5.jar
+    - maven-compat-3.0.5.jar
+    - maven-embedder-3.0.5.jar
+    - maven-model-3.0.5.jar
+    - maven-model-builder-3.0.5.jar
+    - maven-plugin-api-3.0.5.jar
+    - maven-repository-metadata-3.0.5.jar
+    - maven-settings-3.0.5.jar
+    - maven-settings-builder-3.0.5.jar
+	- wagon-provider-api-2.4.jar
   * OkHttp
     - okhttp-3.9.0.jar
     - okhttp-urlconnection-3.9.0.jar
@@ -353,8 +353,6 @@ The Apache Software License, Version 2.0
     - plexus-interpolation-1.14.jar
     - plexus-sec-dispatcher-1.3.jar
     - plexus-utils-2.0.6.jar
-  * Apache Maven Wagon
-    - wagon-provider-api-2.2.jar
   * Apache XBean :: Reflect
     - xbean-reflect-3.4.jar
   * Avro
@@ -439,12 +437,12 @@ The Apache Software License, Version 2.0
   * Java Assist
     - javassist-3.25.0-GA.jar
   * Jetty
-    - jetty-http-9.4.12.v20180830.jar
-    - jetty-io-9.4.12.v20180830.jar
-    - jetty-security-9.4.12.v20180830.jar
-    - jetty-server-9.4.12.v20180830.jar
-    - jetty-servlet-9.4.12.v20180830.jar
-    - jetty-util-9.4.12.v20180830.jar
+    - jetty-http-9.4.20.v20190813.jar
+    - jetty-io-9.4.20.v20190813.jar
+    - jetty-security-9.4.20.v20190813.jar
+    - jetty-server-9.4.20.v20190813.jar
+    - jetty-servlet-9.4.20.v20190813.jar
+    - jetty-util-9.4.20.v20190813.jar
   * Java Native Access
     - jna-4.2.0.jar
   * Yahoo Datasketches
@@ -485,7 +483,6 @@ BSD License
 MIT License
  * Animal Sniffer Annotations
    - animal-sniffer-annotations-1.14.jar
- * Checker Qua -- checker-compat-qual-2.0.0.jar
  * PCollections
    - pcollections-2.1.2.jar
  * SLF4J
@@ -496,6 +493,8 @@ MIT License
    - jcl-over-slf4j-1.7.25.jar
  * JUL to SLF4J Bridge
    - jul-to-slf4j-1.7.25.jar
+ * Checker Qual
+   - checker-qual-2.0.0.jar
 
 CDDL - 1.0
  * OSGi Resource Locator