You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by wu...@apache.org on 2022/01/12 08:39:56 UTC
[skywalking] branch master updated: Bump up gRPC/protobuf to fix CVE-2021-22569 (#8405)
This is an automated email from the ASF dual-hosted git repository.
wusheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git
The following commit(s) were added to refs/heads/master by this push:
new 0d5a289 Bump up gRPC/protobuf to fix CVE-2021-22569 (#8405)
0d5a289 is described below
commit 0d5a289c207478cc3f43a95054bde81b1ed7a1e2
Author: 吴晟 Wu Sheng <wu...@foxmail.com>
AuthorDate: Wed Jan 12 16:39:38 2022 +0800
Bump up gRPC/protobuf to fix CVE-2021-22569 (#8405)
* Bump up gRPC/protobuf to fix CVE-2021-2256
---
.github/workflows/ci-it.yaml | 2 +-
CHANGES.md | 1 +
dist-material/release-docs/LICENSE | 9 +++++----
oap-server-bom/pom.xml | 4 ++--
pom.xml | 2 +-
.../dependencies/known-oap-backend-dependencies.txt | 21 +++++++++++----------
6 files changed, 21 insertions(+), 18 deletions(-)
diff --git a/.github/workflows/ci-it.yaml b/.github/workflows/ci-it.yaml
index 036b4dc..d2f6db7 100644
--- a/.github/workflows/ci-it.yaml
+++ b/.github/workflows/ci-it.yaml
@@ -83,7 +83,7 @@ jobs:
run: ./mvnw -q --batch-mode -P"backend,ui,dist" clean verify install
- uses: actions/upload-artifact@v2
if: env.SKIP_CI != 'true' && matrix.os == 'ubuntu' && matrix.java-version == '8'
- name: Upload Agent
+ name: Upload OAP Server Binary
with:
name: dist
path: dist
diff --git a/CHANGES.md b/CHANGES.md
index d79e773..afcaadc 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,7 @@ Release Notes.
* Extend column name override mechanism working for `ValueColumnMetadata`.
* Introduce new concept `Layer` and removed `NodeType`. More details refer to [v9-version-upgrade](https://skywalking.apache.org/docs/main/latest/en/faq/v9-version-upgrade/).
* Fix query sort metrics failure in H2 Storage.
+* Bump up grpc to 1.43.2 and protobuf to 3.19.2 to fix CVE-2021-22569.
#### UI
diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE
index 9a0c803..6427efb 100755
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -229,7 +229,7 @@ The text of each license is the standard Apache 2.0 license.
Google: guava 28.1: https://github.com/google/guava , Apache 2.0
Google: guice 4.1.0: https://github.com/google/guice , Apache 2.0
Google: gson 2.8.6: https://github.com/google/gson , Apache 2.0
- Google: proto-google-common-protos 2.0.1: https://github.com/googleapis/googleapis , Apache 2.0
+ Google: proto-google-common-protos 2.0.1: https://github.com/googleapis/java-common-protos , Apache 2.0
Google: jsr305 3.0.2: http://central.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.0/jsr305-3.0.0.pom , Apache 2.0
Google: flatbuffers-java 1.12.0: https://github.com/google/flatbuffers/ , Apache 2.0
Eclipse (Jetty) 9.4.40.v20210413: https://www.eclipse.org/jetty/ , Apache 2.0 and Eclipse Public License 1.0
@@ -330,7 +330,8 @@ The text of each license is the standard Apache 2.0 license.
iotdb-thrift 0.12.3: https://github.com/apache/iotdb, Apache 2.0
service-rpc 0.12.3: https://github.com/apache/iotdb, Apache 2.0
tsfile 0.12.3 https://github.com/apache/iotdb Apache 2.0
- libthrift 0.14.1: https://github.com/apache/thrift, Apache 2.0
+ libthrift 0.14.1: https://github.com/apache/thrift Apache 2.0
+ j2objc 1.3: https://github.com/google/j2objc Apache 2.0
========================================================================
MIT licenses
@@ -366,8 +367,8 @@ The text of each license is also included at licenses/LICENSE-[project].txt.
asm 9.0:https://gitlab.ow2.org , BSD-3-Clause
antlr4-runtime 4.5.1: http://www.antlr.org/license.html, BSD-3-Clause
- Google: protobuf-java 3.17.3: https://github.com/google/protobuf/blob/master/java/pom.xml , BSD-3-Clause
- Google: protobuf-java-util 3.17.3: https://github.com/google/protobuf/blob/master/java/pom.xml , BSD-3-Clause
+ Google: protobuf-java 3.19.2: https://github.com/google/protobuf/blob/master/java/pom.xml , BSD-3-Clause
+ Google: protobuf-java-util 3.19.2: https://github.com/google/protobuf/blob/master/java/pom.xml , BSD-3-Clause
reflectasm 1.11.7: https://github.com/EsotericSoftware/reflectasm , BSD-3-Clause
zstd-jni 1.4.3-1: https://github.com/luben/zstd-jni, BSD-3-Clause
diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml
index 1c7f915..3234aad 100644
--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -39,8 +39,8 @@
<zookeeper.version>3.5.7</zookeeper.version>
<guava.version>28.1-jre</guava.version>
<snakeyaml.version>1.28</snakeyaml.version>
- <protobuf-java.version>3.17.3</protobuf-java.version>
- <protobuf-java-util.version>3.17.3</protobuf-java-util.version>
+ <protobuf-java.version>3.19.2</protobuf-java.version>
+ <protobuf-java-util.version>3.19.2</protobuf-java-util.version>
<commons-codec.version>1.11</commons-codec.version>
<commons-lang3.version>3.12.0</commons-lang3.version>
<commons-dbcp.version>1.4</commons-dbcp.version>
diff --git a/pom.xml b/pom.xml
index 27bea90..0a4a25a 100755
--- a/pom.xml
+++ b/pom.xml
@@ -176,7 +176,7 @@
<lombok.version>1.18.20</lombok.version>
<!-- core lib dependency -->
- <grpc.version>1.42.1</grpc.version>
+ <grpc.version>1.43.2</grpc.version>
<gson.version>2.8.6</gson.version>
<os-maven-plugin.version>1.6.2</os-maven-plugin.version>
<protobuf-maven-plugin.version>0.6.1</protobuf-maven-plugin.version>
diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt
index 090f697..38643f8 100755
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -43,14 +43,14 @@ freemarker-2.3.28.jar
graphql-java-8.0.jar
graphql-java-tools-5.2.3.jar
groovy-3.0.8.jar
-grpc-api-1.42.1.jar
-grpc-context-1.42.1.jar
-grpc-core-1.42.1.jar
-grpc-grpclb-1.42.1.jar
-grpc-netty-1.42.1.jar
-grpc-protobuf-1.42.1.jar
-grpc-protobuf-lite-1.42.1.jar
-grpc-stub-1.42.1.jar
+grpc-api-1.43.2.jar
+grpc-context-1.43.2.jar
+grpc-core-1.43.2.jar
+grpc-grpclb-1.43.2.jar
+grpc-netty-1.43.2.jar
+grpc-protobuf-1.43.2.jar
+grpc-protobuf-lite-1.43.2.jar
+grpc-stub-1.43.2.jar
gson-2.8.6.jar
gson-fire-1.8.5.jar
guava-28.1-jre.jar
@@ -63,6 +63,7 @@ httpcore-nio-4.4.13.jar
influxdb-java-2.15.jar
iotdb-session-0.12.3.jar
iotdb-thrift-0.12.3.jar
+j2objc-annotations-1.3.jar
jackson-annotations-2.12.2.jar
jackson-core-2.12.2.jar
jackson-databind-2.12.2.jar
@@ -130,8 +131,8 @@ okio-1.17.2.jar
perfmark-api-0.23.0.jar
postgresql-42.2.18.jar
proto-google-common-protos-2.0.1.jar
-protobuf-java-3.17.3.jar
-protobuf-java-util-3.17.3.jar
+protobuf-java-3.19.2.jar
+protobuf-java-util-3.19.2.jar
reactive-streams-1.0.2.jar
reflectasm-1.11.7.jar
retrofit-2.5.0.jar