You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@skywalking.apache.org by wu...@apache.org on 2021/08/03 03:31:20 UTC

[skywalking] branch dep-commons-compress created (now cd1b8b9)

This is an automated email from the ASF dual-hosted git repository.

wusheng pushed a change to branch dep-commons-compress
in repository https://gitbox.apache.org/repos/asf/skywalking.git.


      at cd1b8b9  Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090

This branch includes the following new commits:

     new cd1b8b9  Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090

Posted by wu...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

wusheng pushed a commit to branch dep-commons-compress
in repository https://gitbox.apache.org/repos/asf/skywalking.git

commit cd1b8b9404a1ed78db40d9893ee9861b5b7e05f4
Author: Wu Sheng <wu...@foxmail.com>
AuthorDate: Tue Aug 3 11:31:01 2021 +0800

    Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090
---
 CHANGES.md                                            |  5 +++++
 dist-material/release-docs/LICENSE                    | 15 ++++++++-------
 oap-server-bom/pom.xml                                |  2 +-
 .../known-oap-backend-dependencies-es7.txt            | 19 ++++++++++---------
 tools/dependencies/known-oap-backend-dependencies.txt | 19 ++++++++++---------
 5 files changed, 34 insertions(+), 26 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index f5f4bed..2dd50bd 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -8,10 +8,15 @@ Release Notes.
 #### Project
 
 #### Java Agent
+
 * Support Multiple DNS period resolving mechanism
 
 #### OAP-Backend
 
+* Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090. Upgrade org.apache.commons:commons-compress to
+  1.21.
+* kubernetes java client upgrade from 12.0.1 to 13.0.0
+
 #### UI
 
 #### Documentation
diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE
index e049a27..97c7696 100755
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -270,7 +270,7 @@ The text of each license is the standard Apache 2.0 license.
     Apache: commons-collections 3.2.2: https://github.com/apache/commons-collections, Apache 2.0
     Apache: commons-configuration 1.8: https://github.com/apache/commons-configuration, Apache 2.0
     Apache: commons-io 2.4: https://github.com/apache/commons-io, Apache 2.0
-    Apache: commons-compress 1.20: https://github.com/apache/commons-compress, Apache 2.0
+    Apache: commons-compress 1.21: https://github.com/apache/commons-compress, Apache 2.0
     Apache: commons-collections4 4.4: https://mvnrepository.com/artifact/org.apache.commons/commons-collections4, Apache 2.0
     Apache: freemarker 2.3.28: https://github.com/apache/freemarker, Apache 2.0
     netty 4.1.65: https://github.com/netty/netty/blob/4.1/LICENSE.txt, Apache 2.0
@@ -306,7 +306,7 @@ The text of each license is the standard Apache 2.0 license.
     HikariCP 3.1.0: https://github.com/brettwooldridge/HikariCP, Apache 2.0
     zipkin 2.9.1: https://github.com/openzipkin/zipkin, Apache 2.0
     sharding-jdbc-core 2.0.3: https://github.com/sharding-sphere/sharding-sphere, Apache 2.0
-    kubernetes-client 12.0.1: https://github.com/kubernetes-client/java, Apache 2.0
+    kubernetes-client 13.0.0: https://github.com/kubernetes-client/java, Apache 2.0
     proto files from istio/istio: https://github.com/istio/istio  Apache 2.0
     proto files from istio/api: https://github.com/istio/api      Apache 2.0
     nacos 1.4.2: https://github.com/alibaba/nacos, Apache 2.0
@@ -330,7 +330,7 @@ The text of each license is the standard Apache 2.0 license.
     logging-interceptor 3.13.1: https://github.com/square/okhttp/tree/master/okhttp-logging-interceptor, Apache 2.0
     msgpack-core 0.8.16: https://github.com/msgpack/msgpack-java, Apache 2.0
     swagger-annotations 1.6.2: https://mvnrepository.com/artifact/io.swagger.core.v3/swagger-annotations, Apache 2.0
-    jose4j 0.7.6: https://mvnrepository.com/artifact/org.bitbucket.b_c/jose4j, Apache 2.0
+    jose4j 0.7.8: https://mvnrepository.com/artifact/org.bitbucket.b_c/jose4j, Apache 2.0
     converter-moshi 2.5.0: https://mvnrepository.com/artifact/com.squareup.retrofit2/converter-moshi, Apache 2.0
     vavr 0.10.3: https://github.com/vavr-io/vavr, Apache 2.0
     kafka-clients 2.4.1: https://github.com/apache/kafka, Apache 2.0
@@ -340,7 +340,7 @@ The text of each license is the standard Apache 2.0 license.
     mvel 2.4.8: https://github.com/mvel/mvel, Apache 2.0
     okio 1.17.2: https://github.com/square/okio Apache 2.0
     caffeine 2.6.2: https://github.com/ben-manes/caffeine Apache 2.0
-    simpleclient_httpserver from prometheus https://github.com/prometheus/client_java Apache 2.0
+    simpleclient_httpserver 0.11 from prometheus https://github.com/prometheus/client_java Apache 2.0
     jetcd 0.5.3, https://github.com/etcd-io/jetcd, Apache 2.0
     failasfe 2.3.4, https://github.com/jhalterman/failsafe, Apache 2.0
 
@@ -356,9 +356,10 @@ The text of each license is also included at licenses/LICENSE-[project].txt.
     GraphQL java 8.0: https://github.com/graphql-java/graphql-java , MIT
     GraphQL Java Tools 5.2.3: https://github.com/graphql-java/graphql-java-tools , MIT
     jopt-simple 5.0.2: https://github.com/jopt-simple/jopt-simple , MIT
-    bcpkix-jdk15on 1.68: http://www.bouncycastle.org/licence.html , MIT
-    bcprov-jdk15on 1.68: http://www.bouncycastle.org/licence.html , MIT
-    bcprov-ext-jdk15on 1.68: http://www.bouncycastle.org/licence.html , MIT
+    bcpkix-jdk15on 1.69: http://www.bouncycastle.org/licence.html , MIT
+    bcprov-jdk15on 1.69: http://www.bouncycastle.org/licence.html , MIT
+    bcprov-ext-jdk15on 1.69: http://www.bouncycastle.org/licence.html , MIT
+    bcutil-ext-jdk15on 1.69: http://www.bouncycastle.org/licence.html , MIT
     minimal-json 0.9.5:  https://github.com/ralfstx/minimal-json, MIT
     checker-qual 2.8.1: https://github.com/typetools/checker-framework, MIT
     influxdb-java 2.15: https://github.com/influxdata/influxdb-java, MIT
diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml
index 2d3bd1a..5b4e179 100644
--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -47,7 +47,7 @@
         <netty-tcnative-boringssl-static.version>2.0.39.Final</netty-tcnative-boringssl-static.version>
         <jetty.version>9.4.40.v20210413</jetty.version>
         <commons-io.version>2.6</commons-io.version>
-        <kubernetes.version>12.0.1</kubernetes.version>
+        <kubernetes.version>13.0.0</kubernetes.version>
         <hikaricp.version>3.1.0</hikaricp.version>
         <zipkin.version>2.9.1</zipkin.version>
         <jackson-core.version>2.12.2</jackson-core.version>
diff --git a/tools/dependencies/known-oap-backend-dependencies-es7.txt b/tools/dependencies/known-oap-backend-dependencies-es7.txt
index 8f2c7b6..d6a3530 100755
--- a/tools/dependencies/known-oap-backend-dependencies-es7.txt
+++ b/tools/dependencies/known-oap-backend-dependencies-es7.txt
@@ -8,17 +8,18 @@ aopalliance-1.0.jar
 apollo-client-1.8.0.jar
 apollo-core-1.8.0.jar
 audience-annotations-0.5.0.jar
-bcpkix-jdk15on-1.68.jar
-bcprov-ext-jdk15on-1.68.jar
-bcprov-jdk15on-1.68.jar
+bcpkix-jdk15on-1.69.jar
+bcprov-ext-jdk15on-1.69.jar
+bcprov-jdk15on-1.69.jar
+bcutil-jdk15on-1.69.jar
 checker-qual-2.8.1.jar
-client-java-12.0.1.jar
-client-java-api-12.0.1.jar
-client-java-proto-12.0.1.jar
+client-java-13.0.0.jar
+client-java-api-13.0.0.jar
+client-java-proto-13.0.0.jar
 commons-beanutils-1.9.4.jar
 commons-codec-1.11.jar
 commons-collections4-4.4.jar
-commons-compress-1.20.jar
+commons-compress-1.21.jar
 commons-dbcp-1.4.jar
 commons-io-2.6.jar
 commons-lang3-3.12.0.jar
@@ -95,7 +96,7 @@ jetty-util-ajax-9.4.40.v20210413.jar
 jna-5.5.0.jar
 joda-time-2.10.5.jar
 jopt-simple-4.6.jar
-jose4j-0.7.6.jar
+jose4j-0.7.8.jar
 jsr305-3.0.2.jar
 kafka-clients-2.4.1.jar
 kotlin-reflect-1.1.1.jar
@@ -158,7 +159,7 @@ s2-geometry-library-java-1.0.0.jar
 simpleclient-0.6.0.jar
 simpleclient_common-0.6.0.jar
 simpleclient_hotspot-0.6.0.jar
-simpleclient_httpserver-0.10.0.jar
+simpleclient_httpserver-0.11.0.jar
 slf4j-api-1.7.30.jar
 snakeyaml-1.28.jar
 snappy-java-1.1.7.3.jar
diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt
index 9dcd63e..682bad1 100755
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -8,17 +8,18 @@ aopalliance-1.0.jar
 apollo-client-1.8.0.jar
 apollo-core-1.8.0.jar
 audience-annotations-0.5.0.jar
-bcpkix-jdk15on-1.68.jar
-bcprov-ext-jdk15on-1.68.jar
-bcprov-jdk15on-1.68.jar
+bcpkix-jdk15on-1.69.jar
+bcprov-ext-jdk15on-1.69.jar
+bcprov-jdk15on-1.69.jar
+bcutil-jdk15on-1.69.jar
 checker-qual-2.8.1.jar
-client-java-12.0.1.jar
-client-java-api-12.0.1.jar
-client-java-proto-12.0.1.jar
+client-java-13.0.0.jar
+client-java-api-13.0.0.jar
+client-java-proto-13.0.0.jar
 commons-beanutils-1.9.4.jar
 commons-codec-1.11.jar
 commons-collections4-4.4.jar
-commons-compress-1.20.jar
+commons-compress-1.21.jar
 commons-dbcp-1.4.jar
 commons-io-2.6.jar
 commons-lang3-3.12.0.jar
@@ -93,7 +94,7 @@ jetty-util-ajax-9.4.40.v20210413.jar
 jna-4.5.1.jar
 joda-time-2.10.5.jar
 jopt-simple-4.6.jar
-jose4j-0.7.6.jar
+jose4j-0.7.8.jar
 jsr305-3.0.2.jar
 kafka-clients-2.4.1.jar
 kotlin-reflect-1.1.1.jar
@@ -154,7 +155,7 @@ retrofit-2.5.0.jar
 simpleclient-0.6.0.jar
 simpleclient_common-0.6.0.jar
 simpleclient_hotspot-0.6.0.jar
-simpleclient_httpserver-0.10.0.jar
+simpleclient_httpserver-0.11.0.jar
 slf4j-api-1.7.30.jar
 snakeyaml-1.28.jar
 snappy-java-1.1.7.3.jar