You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by ni...@apache.org on 2022/07/13 07:53:16 UTC

[pulsar] branch branch-2.8 updated: [fix][security] Upgrade to Jetty to 9.4.48.v20220622 to get rid of CVE-2022-2047 (#16520)

This is an automated email from the ASF dual-hosted git repository.

nicoloboschi pushed a commit to branch branch-2.8
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-2.8 by this push:
     new 7f1eb9a31d8 [fix][security] Upgrade to Jetty to 9.4.48.v20220622 to get rid of CVE-2022-2047 (#16520)
7f1eb9a31d8 is described below

commit 7f1eb9a31d8e2fc3580d0856b1ee31541ab2a636
Author: Nicolò Boschi <bo...@gmail.com>
AuthorDate: Wed Jul 13 01:16:01 2022 +0200

    [fix][security] Upgrade to Jetty to 9.4.48.v20220622 to get rid of CVE-2022-2047 (#16520)
    
    * [fix][security] Upgrade to Jetty to 9.4.48.v20220622 to get rid of CVE-2022-2047
    
    * suppress CVE-2022-2191 - false positive
    
    * Revert "suppress CVE-2022-2191 - false positive"
    
    This reverts commit ab4601f43093c88ae97b03af9d90518fea174768.
    
    (cherry picked from commit 6872ac332f392790688dfd971e232240bd9f4978)
    (cherry picked from commit 87f64d05f64b18a724d64251862014fbbedd562e)
---
 distribution/server/src/assemble/LICENSE.bin.txt | 38 ++++++++++++------------
 pom.xml                                          |  2 +-
 pulsar-sql/presto-distribution/LICENSE           | 32 ++++++++++----------
 3 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
index d43aa218f7c..038b763d8b2 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -431,25 +431,25 @@ The Apache Software License, Version 2.0
     - org.asynchttpclient-async-http-client-2.12.1.jar
     - org.asynchttpclient-async-http-client-netty-utils-2.12.1.jar
  * Jetty
-    - org.eclipse.jetty-jetty-client-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-continuation-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-http-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-io-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-proxy-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-security-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-server-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-servlet-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-servlets-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-util-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-util-ajax-9.4.43.v20210629.jar
-    - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.43.v20210629.jar
-    - org.eclipse.jetty.websocket-websocket-api-9.4.43.v20210629.jar
-    - org.eclipse.jetty.websocket-websocket-client-9.4.43.v20210629.jar
-    - org.eclipse.jetty.websocket-websocket-common-9.4.43.v20210629.jar
-    - org.eclipse.jetty.websocket-websocket-server-9.4.43.v20210629.jar
-    - org.eclipse.jetty.websocket-websocket-servlet-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-alpn-server-9.4.43.v20210629.jar
+    - org.eclipse.jetty-jetty-client-9.4.48.v20220622.jar
+    - org.eclipse.jetty-jetty-continuation-9.4.48.v20220622.jar
+    - org.eclipse.jetty-jetty-http-9.4.48.v20220622.jar
+    - org.eclipse.jetty-jetty-io-9.4.48.v20220622.jar
+    - org.eclipse.jetty-jetty-proxy-9.4.48.v20220622.jar
+    - org.eclipse.jetty-jetty-security-9.4.48.v20220622.jar
+    - org.eclipse.jetty-jetty-server-9.4.48.v20220622.jar
+    - org.eclipse.jetty-jetty-servlet-9.4.48.v20220622.jar
+    - org.eclipse.jetty-jetty-servlets-9.4.48.v20220622.jar
+    - org.eclipse.jetty-jetty-util-9.4.48.v20220622.jar
+    - org.eclipse.jetty-jetty-util-ajax-9.4.48.v20220622.jar
+    - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.48.v20220622.jar
+    - org.eclipse.jetty.websocket-websocket-api-9.4.48.v20220622.jar
+    - org.eclipse.jetty.websocket-websocket-client-9.4.48.v20220622.jar
+    - org.eclipse.jetty.websocket-websocket-common-9.4.48.v20220622.jar
+    - org.eclipse.jetty.websocket-websocket-server-9.4.48.v20220622.jar
+    - org.eclipse.jetty.websocket-websocket-servlet-9.4.48.v20220622.jar
+    - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.48.v20220622.jar
+    - org.eclipse.jetty-jetty-alpn-server-9.4.48.v20220622.jar
  * SnakeYaml -- org.yaml-snakeyaml-1.30.jar
  * RocksDB - org.rocksdb-rocksdbjni-6.10.2.jar
  * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.5.1.jar
diff --git a/pom.xml b/pom.xml
index a9900acd3e8..7e99d93a452 100644
--- a/pom.xml
+++ b/pom.xml
@@ -111,7 +111,7 @@ flexible messaging model and an intuitive client API.</description>
     <curator.version>5.1.0</curator.version>
     <netty.version>4.1.77.Final</netty.version>
     <netty-tc-native.version>2.0.52.Final</netty-tc-native.version>
-    <jetty.version>9.4.43.v20210629</jetty.version>
+    <jetty.version>9.4.48.v20220622</jetty.version>
     <conscrypt.version>2.5.2</conscrypt.version>
     <jersey.version>2.34</jersey.version>
     <athenz.version>1.10.9</athenz.version>
diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
index b566bd0c241..27b4d6e5ac4 100644
--- a/pulsar-sql/presto-distribution/LICENSE
+++ b/pulsar-sql/presto-distribution/LICENSE
@@ -257,22 +257,22 @@ The Apache Software License, Version 2.0
  * Joda Time
     - joda-time-2.10.5.jar
   * Jetty
-    - http2-client-9.4.43.v20210629.jar
-    - http2-common-9.4.43.v20210629.jar
-    - http2-hpack-9.4.43.v20210629.jar
-    - http2-http-client-transport-9.4.43.v20210629.jar
-    - jetty-alpn-client-9.4.43.v20210629.jar
-    - http2-server-9.4.43.v20210629.jar
-    - jetty-alpn-java-client-9.4.43.v20210629.jar
-    - jetty-client-9.4.43.v20210629.jar
-    - jetty-http-9.4.43.v20210629.jar
-    - jetty-io-9.4.43.v20210629.jar
-    - jetty-jmx-9.4.43.v20210629.jar
-    - jetty-security-9.4.43.v20210629.jar
-    - jetty-server-9.4.43.v20210629.jar
-    - jetty-servlet-9.4.43.v20210629.jar
-    - jetty-util-9.4.43.v20210629.jar
-    - jetty-util-ajax-9.4.43.v20210629.jar
+    - http2-client-9.4.48.v20220622.jar
+    - http2-common-9.4.48.v20220622.jar
+    - http2-hpack-9.4.48.v20220622.jar
+    - http2-http-client-transport-9.4.48.v20220622.jar
+    - jetty-alpn-client-9.4.48.v20220622.jar
+    - http2-server-9.4.48.v20220622.jar
+    - jetty-alpn-java-client-9.4.48.v20220622.jar
+    - jetty-client-9.4.48.v20220622.jar
+    - jetty-http-9.4.48.v20220622.jar
+    - jetty-io-9.4.48.v20220622.jar
+    - jetty-jmx-9.4.48.v20220622.jar
+    - jetty-security-9.4.48.v20220622.jar
+    - jetty-server-9.4.48.v20220622.jar
+    - jetty-servlet-9.4.48.v20220622.jar
+    - jetty-util-9.4.48.v20220622.jar
+    - jetty-util-ajax-9.4.48.v20220622.jar
   * Apache BVal
     - bval-jsr-2.0.0.jar
   * Bytecode