You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by ji...@apache.org on 2021/04/15 23:57:00 UTC
[druid] branch 0.21.0 created (now a03dc10)
This is an automated email from the ASF dual-hosted git repository.
jihoonson pushed a change to branch 0.21.0
in repository https://gitbox.apache.org/repos/asf/druid.git.
at a03dc10 Backport security prs to 0.21.0 (#11116)
This branch includes the following new commits:
new a03dc10 Backport security prs to 0.21.0 (#11116)
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[druid] 01/01: Backport security prs to 0.21.0 (#11116)
Posted by ji...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jihoonson pushed a commit to branch 0.21.0
in repository https://gitbox.apache.org/repos/asf/druid.git
commit a03dc106f58a7b5b6f92a14b3653bb2e02bdcb60
Author: Jihoon Son <ji...@apache.org>
AuthorDate: Thu Apr 15 00:34:12 2021 -0700
Backport security prs to 0.21.0 (#11116)
---
extensions-core/kubernetes-extensions/pom.xml | 8 +++-
licenses.yaml | 13 ++++---
owasp-dependency-check-suppressions.xml | 55 +++++++++++++++++++++++++++
pom.xml | 2 +-
4 files changed, 70 insertions(+), 8 deletions(-)
diff --git a/extensions-core/kubernetes-extensions/pom.xml b/extensions-core/kubernetes-extensions/pom.xml
index a22c3dd..b68e46d 100644
--- a/extensions-core/kubernetes-extensions/pom.xml
+++ b/extensions-core/kubernetes-extensions/pom.xml
@@ -35,7 +35,7 @@
</parent>
<properties>
- <kubernetes.client.version>10.0.0</kubernetes.client.version>
+ <kubernetes.client.version>10.0.1</kubernetes.client.version>
</properties>
<dependencies>
@@ -93,6 +93,12 @@
<version>1.68</version>
<scope>runtime</scope>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-ext-jdk15on</artifactId>
+ <version>1.68</version>
+ <scope>runtime</scope>
+ </dependency>
<!-- others -->
<dependency>
diff --git a/licenses.yaml b/licenses.yaml
index 2759bf2..ab9ae27 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -841,7 +841,7 @@ name: kubernetes official java client
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 10.0.0
+version: 10.0.1
libraries:
- io.kubernetes: client-java
@@ -851,7 +851,7 @@ name: kubernetes official java client api
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 10.0.0
+version: 10.0.1
libraries:
- io.kubernetes: client-java-api
@@ -861,7 +861,7 @@ name: kubernetes official java client extended
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 10.0.0
+version: 10.0.1
libraries:
- io.kubernetes: client-java-extended
@@ -981,7 +981,7 @@ name: io.kubernetes client-java-proto
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 10.0.0
+version: 10.0.1
libraries:
- io.kubernetes: client-java-proto
@@ -1041,7 +1041,7 @@ name: org.bouncycastle bcprov-ext-jdk15on
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: MIT License
-version: 1.66
+version: 1.68
libraries:
- org.bouncycastle: bcprov-ext-jdk15on
@@ -1962,7 +1962,7 @@ name: Jetty
license_category: binary
module: java-core
license_name: Apache License version 2.0
-version: 9.4.34.v20201102
+version: 9.4.39.v20210325
libraries:
- org.eclipse.jetty: jetty-client
- org.eclipse.jetty: jetty-continuation
@@ -1975,6 +1975,7 @@ libraries:
- org.eclipse.jetty: jetty-servlet
- org.eclipse.jetty: jetty-servlets
- org.eclipse.jetty: jetty-util
+ - org.eclipse.jetty: jetty-util-ajax
notice: |
==============================================================
Jetty Web Container
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 6a532ef..30147fb 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -58,6 +58,17 @@
<cve>CVE-2020-12691</cve>
</suppress>
+
+ <suppress>
+ <!-- Not much for us to do as a user of the client lib, and no patch is available,
+ see https://github.com/kubernetes/kubernetes/issues/97076 -->
+ <notes><![CDATA[
+ file name: client-java-10.0.1.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/io\.kubernetes/client\-java.*@10.0.1$</packageUrl>
+ <cve>CVE-2020-8554</cve>
+ </suppress>
+
<!-- FIXME: These are suppressed so that CI can enforce that no new vulnerable dependencies are added. -->
<suppress>
<!--
@@ -287,5 +298,49 @@
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-.*@.*$</packageUrl>
<cve>CVE-2018-11765</cve>
+ <cve>CVE-2020-9492</cve>
+ </suppress>
+ <suppress>
+ <!-- We don't use scala compilation daemon. -->
+ <notes><![CDATA[
+ file name: kafka-clients-2.7.0.jar
+ ]]></notes>
+ <cve>CVE-2017-15288</cve>
+ </suppress>
+ <suppress until="2021-04-30">
+ <!-- Suppress this until https://github.com/apache/druid/issues/11028 is resolved. -->
+ <notes><![CDATA[
+ This vulnerability should be fixed soon and the suppression should be removed.
+ ]]></notes>
+ <cve>CVE-2020-13949</cve>
+ </suppress>
+
+ <suppress>
+ <!-- (avro, parquet, integration-tests) we don't allow velocity templates to be uploaded by untrusted users -->
+ <notes><![CDATA[
+ file name: velocity-engine-core-2.2.jar:
+ ]]></notes>
+ <cve>CVE-2020-13936</cve>
+ </suppress>
+
+ <suppress>
+ <!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version -->
+ <notes><![CDATA[
+ file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
+ <cve>CVE-2018-14718</cve>
+ <cve>CVE-2018-7489</cve>
+ </suppress>
+
+ <suppress>
+ <notes><![CDATA[
+ file name: solr-solrj-7.7.1.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr-solrj@7.7.1$</packageUrl>
+ <cve>CVE-2020-13957</cve>
+ <cve>CVE-2019-17558</cve>
+ <cve>CVE-2019-0193</cve>
+ <cve>CVE-2020-13941</cve>
</suppress>
</suppressions>
diff --git a/pom.xml b/pom.xml
index 812c226..657bd6a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -90,7 +90,7 @@
<guava.version>16.0.1</guava.version>
<guice.version>4.1.0</guice.version>
<hamcrest.version>1.3</hamcrest.version>
- <jetty.version>9.4.34.v20201102</jetty.version>
+ <jetty.version>9.4.39.v20210325</jetty.version>
<jersey.version>1.19.3</jersey.version>
<jackson.version>2.10.2</jackson.version>
<jackson.databind.version>2.10.5.1</jackson.databind.version>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org