From 0076a1bc2d8c3e0fbdd1d210cea17efcf086c034 Mon Sep 17 00:00:00 2001 From: Matteo Merli Date: Wed, 30 Oct 2019 23:38:27 -0700 Subject: [PATCH] Upgrade dependencies for security fixes (#5232) * Upgrade dependencies for security fixes * Use guava 18 for jclouds-shaded * Fix the guava version for HDFS tiered storage component * Rollback guava to 25.1 since there are API breaking changes * Rollback to Maven 3.0.5 which has the fix for sec issue * Fixed Jetty SslContextFactory creation * Roll back to 9.4.20.v20190813 --- .../server/src/assemble/LICENSE.bin.txt | 49 +++++++++--------- jclouds-shaded/pom.xml | 11 ++++ pom.xml | 9 ++-- .../functions/runtime/KubernetesRuntime.java | 5 +- .../functions/runtime/ProcessRuntime.java | 11 ++-- .../io/cassandra/CassandraAbstractSink.java | 3 +- .../proxy/server/AdminProxyHandler.java | 3 +- pulsar-sql/presto-distribution/LICENSE | 49 +++++++++--------- pulsar-sql/presto-distribution/pom.xml | 50 ++++++++++++++++++- pulsar-sql/presto-pulsar-plugin/pom.xml | 1 - tiered-storage/file-system/pom.xml | 11 ++++ 11 files changed, 138 insertions(+), 64 deletions(-) diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index 7306ec1d4f5a2..06df822c6c009 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -325,7 +325,9 @@ The Apache Software License, Version 2.0 * Caffeine -- com.github.ben-manes.caffeine-caffeine-2.6.2.jar * Proto Google Common Protos -- com.google.api.grpc-proto-google-common-protos-1.12.0.jar * Gson -- com.google.code.gson-gson-2.8.2.jar - * Guava -- com.google.guava-guava-21.0.jar + * Guava + - com.google.guava-guava-25.1-jre.jar + * J2ObjC Annotations -- com.google.j2objc-j2objc-annotations-1.1.jar * Netty Reactive Streams -- com.typesafe.netty-netty-reactive-streams-2.0.0.jar * Swagger - io.swagger-swagger-annotations-1.5.21.jar @@ -343,7 +345,7 @@ The Apache Software License, Version 2.0 - commons-lang-commons-lang-2.6.jar - commons-logging-commons-logging-1.1.1.jar - org.apache.commons-commons-collections4-4.1.jar - - org.apache.commons-commons-compress-1.15.jar + - org.apache.commons-commons-compress-1.19.jar - org.apache.commons-commons-lang3-3.4.jar * Netty - io.netty-netty-buffer-4.1.43.Final.jar @@ -411,29 +413,29 @@ The Apache Software License, Version 2.0 - org.asynchttpclient-async-http-client-2.7.0.jar - org.asynchttpclient-async-http-client-netty-utils-2.7.0.jar * Jetty - - org.eclipse.jetty-jetty-client-9.4.12.v20180830.jar - - org.eclipse.jetty-jetty-continuation-9.4.12.v20180830.jar - - org.eclipse.jetty-jetty-http-9.4.12.v20180830.jar - - org.eclipse.jetty-jetty-io-9.4.12.v20180830.jar - - org.eclipse.jetty-jetty-proxy-9.4.12.v20180830.jar - - org.eclipse.jetty-jetty-security-9.4.12.v20180830.jar - - org.eclipse.jetty-jetty-server-9.4.12.v20180830.jar - - org.eclipse.jetty-jetty-servlet-9.4.12.v20180830.jar - - org.eclipse.jetty-jetty-servlets-9.4.12.v20180830.jar - - org.eclipse.jetty-jetty-util-9.4.12.v20180830.jar - - org.eclipse.jetty-jetty-xml-9.4.12.v20180830.jar - - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.12.v20180830.jar - - org.eclipse.jetty.websocket-websocket-api-9.4.12.v20180830.jar - - org.eclipse.jetty.websocket-websocket-client-9.4.12.v20180830.jar - - org.eclipse.jetty.websocket-websocket-common-9.4.12.v20180830.jar - - org.eclipse.jetty.websocket-websocket-server-9.4.12.v20180830.jar - - org.eclipse.jetty.websocket-websocket-servlet-9.4.12.v20180830.jar + - org.eclipse.jetty-jetty-client-9.4.20.v20190813.jar + - org.eclipse.jetty-jetty-continuation-9.4.20.v20190813.jar + - org.eclipse.jetty-jetty-http-9.4.20.v20190813.jar + - org.eclipse.jetty-jetty-io-9.4.20.v20190813.jar + - org.eclipse.jetty-jetty-proxy-9.4.20.v20190813.jar + - org.eclipse.jetty-jetty-security-9.4.20.v20190813.jar + - org.eclipse.jetty-jetty-server-9.4.20.v20190813.jar + - org.eclipse.jetty-jetty-servlet-9.4.20.v20190813.jar + - org.eclipse.jetty-jetty-servlets-9.4.20.v20190813.jar + - org.eclipse.jetty-jetty-util-9.4.20.v20190813.jar + - org.eclipse.jetty-jetty-xml-9.4.20.v20190813.jar + - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.20.v20190813.jar + - org.eclipse.jetty.websocket-websocket-api-9.4.20.v20190813.jar + - org.eclipse.jetty.websocket-websocket-client-9.4.20.v20190813.jar + - org.eclipse.jetty.websocket-websocket-common-9.4.20.v20190813.jar + - org.eclipse.jetty.websocket-websocket-server-9.4.20.v20190813.jar + - org.eclipse.jetty.websocket-websocket-servlet-9.4.20.v20190813.jar * SnakeYaml -- org.yaml-snakeyaml-1.23.jar * RocksDB - org.rocksdb-rocksdbjni-5.13.3.jar * HttpClient - org.apache.httpcomponents-httpclient-4.5.5.jar - org.apache.httpcomponents-httpcore-4.4.9.jar - * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.2.0.jar + * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.1.3.jar * OkHttp - com.squareup.okhttp-okhttp-2.5.0.jar * Okio - com.squareup.okio-okio-1.13.0.jar * Javassist -- org.javassist-javassist-3.25.0-GA.jar @@ -469,8 +471,6 @@ The Apache Software License, Version 2.0 - org.inferred-freebuilder-1.14.9.jar * Snappy Java - org.xerial.snappy-snappy-java-1.1.1.3.jar - * Objenesis - - org.objenesis-objenesis-2.6.jar * Squareup - com.squareup.okhttp-logging-interceptor-2.7.5.jar - com.squareup.okhttp-okhttp-ws-2.7.5.jar @@ -518,9 +518,10 @@ MIT License - org.slf4j-slf4j-api-1.7.25.jar - org.slf4j-jcl-over-slf4j-1.7.25.jar * Animal Sniffer Annotations - - org.codehaus.mojo-animal-sniffer-annotations-1.17.jar + - org.codehaus.mojo-animal-sniffer-annotations-1.14.jar * The Checker Framework - - org.checkerframework-checker-compat-qual-2.5.2.jar + - org.checkerframework-checker-compat-qual-2.5.2.jar + - org.checkerframework-checker-qual-2.0.0.jar Protocol Buffers License * Protocol Buffers diff --git a/jclouds-shaded/pom.xml b/jclouds-shaded/pom.xml index 5ee25d877cdb0..d7ab582d0852d 100644 --- a/jclouds-shaded/pom.xml +++ b/jclouds-shaded/pom.xml @@ -45,6 +45,17 @@ + + + + + com.google.guava + guava + 18.0 + + + + diff --git a/pom.xml b/pom.xml index 78648348be13e..0ab3d33fa9a4b 100644 --- a/pom.xml +++ b/pom.xml @@ -146,14 +146,14 @@ flexible messaging model and an intuitive client API. 2.1.0-incubating - 1.15 + 1.19 4.9.2 3.4.13 4.1.43.Final 2.0.26.Final 2.0.0 - 9.4.12.v20180830 + 9.4.20.v20190813 2.27 1.8.17 0.5.0 @@ -201,7 +201,8 @@ flexible messaging model and an intuitive client API. 1.3.7-3 1.1.1.3 1.4.9 - + 25.1-jre + 3.6.0 3.4.0 @@ -536,7 +537,7 @@ flexible messaging model and an intuitive client API. com.google.guava guava - 21.0 + ${guava.version} diff --git a/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/runtime/KubernetesRuntime.java b/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/runtime/KubernetesRuntime.java index 01d14dcc869be..01b40b645699e 100644 --- a/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/runtime/KubernetesRuntime.java +++ b/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/runtime/KubernetesRuntime.java @@ -23,6 +23,7 @@ import com.google.common.util.concurrent.FutureCallback; import com.google.common.util.concurrent.Futures; import com.google.common.util.concurrent.ListenableFuture; +import com.google.common.util.concurrent.MoreExecutors; import com.google.gson.Gson; import com.google.protobuf.Empty; import com.squareup.okhttp.Response; @@ -329,7 +330,7 @@ public void onFailure(Throwable throwable) { public void onSuccess(FunctionStatus t) { retval.complete(t); } - }); + }, MoreExecutors.directExecutor()); return retval; } @@ -372,7 +373,7 @@ public void onFailure(Throwable throwable) { public void onSuccess(InstanceCommunication.MetricsData t) { retval.complete(t); } - }); + }, MoreExecutors.directExecutor()); return retval; } diff --git a/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/runtime/ProcessRuntime.java b/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/runtime/ProcessRuntime.java index 311934eccd39e..4334123f1e63f 100644 --- a/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/runtime/ProcessRuntime.java +++ b/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/runtime/ProcessRuntime.java @@ -22,6 +22,7 @@ import com.google.common.util.concurrent.FutureCallback; import com.google.common.util.concurrent.Futures; import com.google.common.util.concurrent.ListenableFuture; +import com.google.common.util.concurrent.MoreExecutors; import com.google.gson.Gson; import com.google.protobuf.Empty; import io.grpc.ManagedChannel; @@ -237,7 +238,7 @@ public void onFailure(Throwable throwable) { public void onSuccess(InstanceCommunication.FunctionStatus t) { retval.complete(t); } - }); + }, MoreExecutors.directExecutor()); return retval; } @@ -259,7 +260,7 @@ public void onFailure(Throwable throwable) { public void onSuccess(InstanceCommunication.MetricsData t) { retval.complete(t); } - }); + }, MoreExecutors.directExecutor()); return retval; } @@ -281,7 +282,7 @@ public void onFailure(Throwable throwable) { public void onSuccess(Empty t) { retval.complete(null); } - }); + }, MoreExecutors.directExecutor()); return retval; } @@ -303,7 +304,7 @@ public void onFailure(Throwable throwable) { public void onSuccess(InstanceCommunication.MetricsData t) { retval.complete(t); } - }); + }, MoreExecutors.directExecutor()); return retval; } @@ -329,7 +330,7 @@ public void onFailure(Throwable throwable) { public void onSuccess(InstanceCommunication.HealthCheckResult t) { retval.complete(t); } - }); + }, MoreExecutors.directExecutor()); return retval; } diff --git a/pulsar-io/cassandra/src/main/java/org/apache/pulsar/io/cassandra/CassandraAbstractSink.java b/pulsar-io/cassandra/src/main/java/org/apache/pulsar/io/cassandra/CassandraAbstractSink.java index d40a7cec5bc9f..874710afb4860 100644 --- a/pulsar-io/cassandra/src/main/java/org/apache/pulsar/io/cassandra/CassandraAbstractSink.java +++ b/pulsar-io/cassandra/src/main/java/org/apache/pulsar/io/cassandra/CassandraAbstractSink.java @@ -27,6 +27,7 @@ import com.datastax.driver.core.Session; import com.google.common.util.concurrent.FutureCallback; import com.google.common.util.concurrent.Futures; +import com.google.common.util.concurrent.MoreExecutors; import java.util.Map; @@ -84,7 +85,7 @@ public void onSuccess(ResultSet result) { public void onFailure(Throwable t) { record.fail(); } - }); + }, MoreExecutors.directExecutor()); } private void createClient(String roots) { diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java index 6a767d42a76df..5316ab8df6f0a 100644 --- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java +++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java @@ -232,7 +232,8 @@ protected HttpClient newHttpClient() { ); } - SslContextFactory contextFactory = new SslContextFactory(); + + SslContextFactory contextFactory = new SslContextFactory.Client(true); contextFactory.setSslContext(sslCtx); return new JettyHttpClient(contextFactory); diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE index dfd891e3aa5b7..0c78a96519edd 100644 --- a/pulsar-sql/presto-distribution/LICENSE +++ b/pulsar-sql/presto-distribution/LICENSE @@ -222,19 +222,18 @@ The Apache Software License, Version 2.0 - jackson-mapper-asl-1.9.13.jar - jackson-dataformat-yaml-2.8.11.jar * Guava - - guava-21.0.jar - - guava-24.1-jre.jar + - guava-25.1-jre.jar * Google Guice - guice-4.2.0.jar - guice-multibindings-4.2.0.jar * Apache Commons - commons-math3-3.6.1.jar - commons-beanutils-core-1.8.3.jar - - commons-compress-1.15.jar + - commons-compress-1.19.jar - commons-lang3-3.3.2.jar - commons-lang3-3.4.jar * Netty - - netty-3.6.2.Final.jar + - netty-3.10.6.Final.jar - netty-all-4.1.32.Final.jar - netty-buffer-4.1.31.Final.jar - netty-codec-4.1.31.Final.jar @@ -271,7 +270,7 @@ The Apache Software License, Version 2.0 - jetty-servlet-9.4.11.v20180605.jar - jetty-util-9.4.11.v20180605.jar * Asynchronous Http Client - - async-http-client-1.6.5.jar + - async-http-client-1.9.40.jar * Apache BVal - bval-core-1.1.1.jar - bval-jsr-1.1.1.jar @@ -329,17 +328,18 @@ The Apache Software License, Version 2.0 * Lucene Common Analyzers - lucene-analyzers-common-7.2.1.jar * Maven - - maven-aether-provider-3.0.4.jar - - maven-artifact-3.0.4.jar - - maven-compat-3.0.4.jar - - maven-core-3.0.4.jar - - maven-embedder-3.0.4.jar - - maven-model-3.0.4.jar - - maven-model-builder-3.0.4.jar - - maven-plugin-api-3.0.4.jar - - maven-repository-metadata-3.0.4.jar - - maven-settings-3.0.4.jar - - maven-settings-builder-3.0.4.jar + - maven-aether-provider-3.0.5.jar + - maven-artifact-3.0.5.jar + - maven-core-3.0.5.jar + - maven-compat-3.0.5.jar + - maven-embedder-3.0.5.jar + - maven-model-3.0.5.jar + - maven-model-builder-3.0.5.jar + - maven-plugin-api-3.0.5.jar + - maven-repository-metadata-3.0.5.jar + - maven-settings-3.0.5.jar + - maven-settings-builder-3.0.5.jar + - wagon-provider-api-2.4.jar * OkHttp - okhttp-3.9.0.jar - okhttp-urlconnection-3.9.0.jar @@ -353,8 +353,6 @@ The Apache Software License, Version 2.0 - plexus-interpolation-1.14.jar - plexus-sec-dispatcher-1.3.jar - plexus-utils-2.0.6.jar - * Apache Maven Wagon - - wagon-provider-api-2.2.jar * Apache XBean :: Reflect - xbean-reflect-3.4.jar * Avro @@ -439,12 +437,12 @@ The Apache Software License, Version 2.0 * Java Assist - javassist-3.25.0-GA.jar * Jetty - - jetty-http-9.4.12.v20180830.jar - - jetty-io-9.4.12.v20180830.jar - - jetty-security-9.4.12.v20180830.jar - - jetty-server-9.4.12.v20180830.jar - - jetty-servlet-9.4.12.v20180830.jar - - jetty-util-9.4.12.v20180830.jar + - jetty-http-9.4.20.v20190813.jar + - jetty-io-9.4.20.v20190813.jar + - jetty-security-9.4.20.v20190813.jar + - jetty-server-9.4.20.v20190813.jar + - jetty-servlet-9.4.20.v20190813.jar + - jetty-util-9.4.20.v20190813.jar * Java Native Access - jna-4.2.0.jar * Yahoo Datasketches @@ -485,7 +483,6 @@ BSD License MIT License * Animal Sniffer Annotations - animal-sniffer-annotations-1.14.jar - * Checker Qua -- checker-compat-qual-2.0.0.jar * PCollections - pcollections-2.1.2.jar * SLF4J @@ -496,6 +493,8 @@ MIT License - jcl-over-slf4j-1.7.25.jar * JUL to SLF4J Bridge - jul-to-slf4j-1.7.25.jar + * Checker Qual + - checker-qual-2.0.0.jar CDDL - 1.0 * OSGi Resource Locator diff --git a/pulsar-sql/presto-distribution/pom.xml b/pulsar-sql/presto-distribution/pom.xml index 9ffae4f0e6681..e918ca5858d89 100644 --- a/pulsar-sql/presto-distribution/pom.xml +++ b/pulsar-sql/presto-distribution/pom.xml @@ -46,6 +46,9 @@ 2.8.11.4 + 1.9.40 + 3.0.5 + 25.1-jre @@ -177,13 +180,58 @@ + + + + + com.ning + async-http-client + ${com.ning.async.http.client.version} + + + io.netty + netty + 3.10.6.Final + + + + org.apache.maven + maven-core + ${maven.version} + + + org.apache.maven + maven-model + ${maven.version} + + + org.apache.maven + maven-artifact + ${maven.version} + + + org.apache.maven + maven-aether-provider + ${maven.version} + + + org.apache.maven + maven-embedder + ${maven.version} + + + com.google.guava + guava + ${guava.version} + + + org.apache.maven.plugins maven-install-plugin - 2.5.2 maven-assembly-plugin diff --git a/pulsar-sql/presto-pulsar-plugin/pom.xml b/pulsar-sql/presto-pulsar-plugin/pom.xml index 4b52a521e20c5..9a5754b054eb6 100644 --- a/pulsar-sql/presto-pulsar-plugin/pom.xml +++ b/pulsar-sql/presto-pulsar-plugin/pom.xml @@ -46,7 +46,6 @@ org.apache.maven.plugins maven-install-plugin - 2.5.2 maven-assembly-plugin diff --git a/tiered-storage/file-system/pom.xml b/tiered-storage/file-system/pom.xml index 8ae30d3d96ba3..83cdb0a2d21b5 100644 --- a/tiered-storage/file-system/pom.xml +++ b/tiered-storage/file-system/pom.xml @@ -90,6 +90,17 @@ test + + + + + com.google.guava + guava + 21.0 + + + +