You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by wu...@apache.org on 2022/01/12 08:39:56 UTC

[skywalking] branch master updated: Bump up gRPC/protobuf to fix CVE-2021-22569 (#8405)

This is an automated email from the ASF dual-hosted git repository.

wusheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git


The following commit(s) were added to refs/heads/master by this push:
     new 0d5a289  Bump up gRPC/protobuf to fix CVE-2021-22569 (#8405)
0d5a289 is described below

commit 0d5a289c207478cc3f43a95054bde81b1ed7a1e2
Author: 吴晟 Wu Sheng <wu...@foxmail.com>
AuthorDate: Wed Jan 12 16:39:38 2022 +0800

    Bump up gRPC/protobuf to fix CVE-2021-22569 (#8405)
    
    * Bump up gRPC/protobuf to fix CVE-2021-2256
---
 .github/workflows/ci-it.yaml                        |  2 +-
 CHANGES.md                                          |  1 +
 dist-material/release-docs/LICENSE                  |  9 +++++----
 oap-server-bom/pom.xml                              |  4 ++--
 pom.xml                                             |  2 +-
 .../dependencies/known-oap-backend-dependencies.txt | 21 +++++++++++----------
 6 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/ci-it.yaml b/.github/workflows/ci-it.yaml
index 036b4dc..d2f6db7 100644
--- a/.github/workflows/ci-it.yaml
+++ b/.github/workflows/ci-it.yaml
@@ -83,7 +83,7 @@ jobs:
         run: ./mvnw -q --batch-mode -P"backend,ui,dist" clean verify install
       - uses: actions/upload-artifact@v2
         if: env.SKIP_CI != 'true' && matrix.os == 'ubuntu' && matrix.java-version == '8'
-        name: Upload Agent
+        name: Upload OAP Server Binary
         with:
           name: dist
           path: dist
diff --git a/CHANGES.md b/CHANGES.md
index d79e773..afcaadc 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,7 @@ Release Notes.
 * Extend column name override mechanism working for `ValueColumnMetadata`.
 * Introduce new concept `Layer` and removed `NodeType`. More details refer to [v9-version-upgrade](https://skywalking.apache.org/docs/main/latest/en/faq/v9-version-upgrade/).
 * Fix query sort metrics failure in H2 Storage.
+* Bump up grpc to 1.43.2 and protobuf to 3.19.2 to fix CVE-2021-22569.
 
 #### UI
 
diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE
index 9a0c803..6427efb 100755
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -229,7 +229,7 @@ The text of each license is the standard Apache 2.0 license.
     Google: guava 28.1: https://github.com/google/guava , Apache 2.0
     Google: guice 4.1.0: https://github.com/google/guice , Apache 2.0
     Google: gson 2.8.6: https://github.com/google/gson , Apache 2.0
-    Google: proto-google-common-protos 2.0.1: https://github.com/googleapis/googleapis , Apache 2.0
+    Google: proto-google-common-protos 2.0.1: https://github.com/googleapis/java-common-protos , Apache 2.0
     Google: jsr305 3.0.2: http://central.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.0/jsr305-3.0.0.pom , Apache 2.0
     Google: flatbuffers-java 1.12.0: https://github.com/google/flatbuffers/ , Apache 2.0
     Eclipse (Jetty) 9.4.40.v20210413: https://www.eclipse.org/jetty/ , Apache 2.0 and Eclipse Public License 1.0
@@ -330,7 +330,8 @@ The text of each license is the standard Apache 2.0 license.
     iotdb-thrift 0.12.3: https://github.com/apache/iotdb, Apache 2.0
     service-rpc 0.12.3: https://github.com/apache/iotdb, Apache 2.0
     tsfile 0.12.3 https://github.com/apache/iotdb Apache 2.0
-    libthrift 0.14.1: https://github.com/apache/thrift, Apache 2.0
+    libthrift 0.14.1: https://github.com/apache/thrift Apache 2.0
+    j2objc 1.3: https://github.com/google/j2objc Apache 2.0
 
 ========================================================================
 MIT licenses
@@ -366,8 +367,8 @@ The text of each license is also included at licenses/LICENSE-[project].txt.
 
     asm 9.0:https://gitlab.ow2.org , BSD-3-Clause
     antlr4-runtime 4.5.1: http://www.antlr.org/license.html, BSD-3-Clause
-    Google: protobuf-java 3.17.3: https://github.com/google/protobuf/blob/master/java/pom.xml , BSD-3-Clause
-    Google: protobuf-java-util 3.17.3: https://github.com/google/protobuf/blob/master/java/pom.xml , BSD-3-Clause
+    Google: protobuf-java 3.19.2: https://github.com/google/protobuf/blob/master/java/pom.xml , BSD-3-Clause
+    Google: protobuf-java-util 3.19.2: https://github.com/google/protobuf/blob/master/java/pom.xml , BSD-3-Clause
     reflectasm 1.11.7: https://github.com/EsotericSoftware/reflectasm , BSD-3-Clause
 
     zstd-jni 1.4.3-1: https://github.com/luben/zstd-jni, BSD-3-Clause
diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml
index 1c7f915..3234aad 100644
--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -39,8 +39,8 @@
         <zookeeper.version>3.5.7</zookeeper.version>
         <guava.version>28.1-jre</guava.version>
         <snakeyaml.version>1.28</snakeyaml.version>
-        <protobuf-java.version>3.17.3</protobuf-java.version>
-        <protobuf-java-util.version>3.17.3</protobuf-java-util.version>
+        <protobuf-java.version>3.19.2</protobuf-java.version>
+        <protobuf-java-util.version>3.19.2</protobuf-java-util.version>
         <commons-codec.version>1.11</commons-codec.version>
         <commons-lang3.version>3.12.0</commons-lang3.version>
         <commons-dbcp.version>1.4</commons-dbcp.version>
diff --git a/pom.xml b/pom.xml
index 27bea90..0a4a25a 100755
--- a/pom.xml
+++ b/pom.xml
@@ -176,7 +176,7 @@
         <lombok.version>1.18.20</lombok.version>
 
         <!-- core lib dependency -->
-        <grpc.version>1.42.1</grpc.version>
+        <grpc.version>1.43.2</grpc.version>
         <gson.version>2.8.6</gson.version>
         <os-maven-plugin.version>1.6.2</os-maven-plugin.version>
         <protobuf-maven-plugin.version>0.6.1</protobuf-maven-plugin.version>
diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt
index 090f697..38643f8 100755
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -43,14 +43,14 @@ freemarker-2.3.28.jar
 graphql-java-8.0.jar
 graphql-java-tools-5.2.3.jar
 groovy-3.0.8.jar
-grpc-api-1.42.1.jar
-grpc-context-1.42.1.jar
-grpc-core-1.42.1.jar
-grpc-grpclb-1.42.1.jar
-grpc-netty-1.42.1.jar
-grpc-protobuf-1.42.1.jar
-grpc-protobuf-lite-1.42.1.jar
-grpc-stub-1.42.1.jar
+grpc-api-1.43.2.jar
+grpc-context-1.43.2.jar
+grpc-core-1.43.2.jar
+grpc-grpclb-1.43.2.jar
+grpc-netty-1.43.2.jar
+grpc-protobuf-1.43.2.jar
+grpc-protobuf-lite-1.43.2.jar
+grpc-stub-1.43.2.jar
 gson-2.8.6.jar
 gson-fire-1.8.5.jar
 guava-28.1-jre.jar
@@ -63,6 +63,7 @@ httpcore-nio-4.4.13.jar
 influxdb-java-2.15.jar
 iotdb-session-0.12.3.jar
 iotdb-thrift-0.12.3.jar
+j2objc-annotations-1.3.jar
 jackson-annotations-2.12.2.jar
 jackson-core-2.12.2.jar
 jackson-databind-2.12.2.jar
@@ -130,8 +131,8 @@ okio-1.17.2.jar
 perfmark-api-0.23.0.jar
 postgresql-42.2.18.jar
 proto-google-common-protos-2.0.1.jar
-protobuf-java-3.17.3.jar
-protobuf-java-util-3.17.3.jar
+protobuf-java-3.19.2.jar
+protobuf-java-util-3.19.2.jar
 reactive-streams-1.0.2.jar
 reflectasm-1.11.7.jar
 retrofit-2.5.0.jar