You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by wu...@apache.org on 2021/08/03 03:31:20 UTC
[skywalking] branch dep-commons-compress created (now cd1b8b9)
This is an automated email from the ASF dual-hosted git repository.
wusheng pushed a change to branch dep-commons-compress
in repository https://gitbox.apache.org/repos/asf/skywalking.git.
at cd1b8b9 Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090
This branch includes the following new commits:
new cd1b8b9 Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516,
CVE-2021-35517, CVE-2021-36090
Posted by wu...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
wusheng pushed a commit to branch dep-commons-compress
in repository https://gitbox.apache.org/repos/asf/skywalking.git
commit cd1b8b9404a1ed78db40d9893ee9861b5b7e05f4
Author: Wu Sheng <wu...@foxmail.com>
AuthorDate: Tue Aug 3 11:31:01 2021 +0800
Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090
---
CHANGES.md | 5 +++++
dist-material/release-docs/LICENSE | 15 ++++++++-------
oap-server-bom/pom.xml | 2 +-
.../known-oap-backend-dependencies-es7.txt | 19 ++++++++++---------
tools/dependencies/known-oap-backend-dependencies.txt | 19 ++++++++++---------
5 files changed, 34 insertions(+), 26 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index f5f4bed..2dd50bd 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -8,10 +8,15 @@ Release Notes.
#### Project
#### Java Agent
+
* Support Multiple DNS period resolving mechanism
#### OAP-Backend
+* Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090. Upgrade org.apache.commons:commons-compress to
+ 1.21.
+* kubernetes java client upgrade from 12.0.1 to 13.0.0
+
#### UI
#### Documentation
diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE
index e049a27..97c7696 100755
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -270,7 +270,7 @@ The text of each license is the standard Apache 2.0 license.
Apache: commons-collections 3.2.2: https://github.com/apache/commons-collections, Apache 2.0
Apache: commons-configuration 1.8: https://github.com/apache/commons-configuration, Apache 2.0
Apache: commons-io 2.4: https://github.com/apache/commons-io, Apache 2.0
- Apache: commons-compress 1.20: https://github.com/apache/commons-compress, Apache 2.0
+ Apache: commons-compress 1.21: https://github.com/apache/commons-compress, Apache 2.0
Apache: commons-collections4 4.4: https://mvnrepository.com/artifact/org.apache.commons/commons-collections4, Apache 2.0
Apache: freemarker 2.3.28: https://github.com/apache/freemarker, Apache 2.0
netty 4.1.65: https://github.com/netty/netty/blob/4.1/LICENSE.txt, Apache 2.0
@@ -306,7 +306,7 @@ The text of each license is the standard Apache 2.0 license.
HikariCP 3.1.0: https://github.com/brettwooldridge/HikariCP, Apache 2.0
zipkin 2.9.1: https://github.com/openzipkin/zipkin, Apache 2.0
sharding-jdbc-core 2.0.3: https://github.com/sharding-sphere/sharding-sphere, Apache 2.0
- kubernetes-client 12.0.1: https://github.com/kubernetes-client/java, Apache 2.0
+ kubernetes-client 13.0.0: https://github.com/kubernetes-client/java, Apache 2.0
proto files from istio/istio: https://github.com/istio/istio Apache 2.0
proto files from istio/api: https://github.com/istio/api Apache 2.0
nacos 1.4.2: https://github.com/alibaba/nacos, Apache 2.0
@@ -330,7 +330,7 @@ The text of each license is the standard Apache 2.0 license.
logging-interceptor 3.13.1: https://github.com/square/okhttp/tree/master/okhttp-logging-interceptor, Apache 2.0
msgpack-core 0.8.16: https://github.com/msgpack/msgpack-java, Apache 2.0
swagger-annotations 1.6.2: https://mvnrepository.com/artifact/io.swagger.core.v3/swagger-annotations, Apache 2.0
- jose4j 0.7.6: https://mvnrepository.com/artifact/org.bitbucket.b_c/jose4j, Apache 2.0
+ jose4j 0.7.8: https://mvnrepository.com/artifact/org.bitbucket.b_c/jose4j, Apache 2.0
converter-moshi 2.5.0: https://mvnrepository.com/artifact/com.squareup.retrofit2/converter-moshi, Apache 2.0
vavr 0.10.3: https://github.com/vavr-io/vavr, Apache 2.0
kafka-clients 2.4.1: https://github.com/apache/kafka, Apache 2.0
@@ -340,7 +340,7 @@ The text of each license is the standard Apache 2.0 license.
mvel 2.4.8: https://github.com/mvel/mvel, Apache 2.0
okio 1.17.2: https://github.com/square/okio Apache 2.0
caffeine 2.6.2: https://github.com/ben-manes/caffeine Apache 2.0
- simpleclient_httpserver from prometheus https://github.com/prometheus/client_java Apache 2.0
+ simpleclient_httpserver 0.11 from prometheus https://github.com/prometheus/client_java Apache 2.0
jetcd 0.5.3, https://github.com/etcd-io/jetcd, Apache 2.0
failasfe 2.3.4, https://github.com/jhalterman/failsafe, Apache 2.0
@@ -356,9 +356,10 @@ The text of each license is also included at licenses/LICENSE-[project].txt.
GraphQL java 8.0: https://github.com/graphql-java/graphql-java , MIT
GraphQL Java Tools 5.2.3: https://github.com/graphql-java/graphql-java-tools , MIT
jopt-simple 5.0.2: https://github.com/jopt-simple/jopt-simple , MIT
- bcpkix-jdk15on 1.68: http://www.bouncycastle.org/licence.html , MIT
- bcprov-jdk15on 1.68: http://www.bouncycastle.org/licence.html , MIT
- bcprov-ext-jdk15on 1.68: http://www.bouncycastle.org/licence.html , MIT
+ bcpkix-jdk15on 1.69: http://www.bouncycastle.org/licence.html , MIT
+ bcprov-jdk15on 1.69: http://www.bouncycastle.org/licence.html , MIT
+ bcprov-ext-jdk15on 1.69: http://www.bouncycastle.org/licence.html , MIT
+ bcutil-ext-jdk15on 1.69: http://www.bouncycastle.org/licence.html , MIT
minimal-json 0.9.5: https://github.com/ralfstx/minimal-json, MIT
checker-qual 2.8.1: https://github.com/typetools/checker-framework, MIT
influxdb-java 2.15: https://github.com/influxdata/influxdb-java, MIT
diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml
index 2d3bd1a..5b4e179 100644
--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -47,7 +47,7 @@
<netty-tcnative-boringssl-static.version>2.0.39.Final</netty-tcnative-boringssl-static.version>
<jetty.version>9.4.40.v20210413</jetty.version>
<commons-io.version>2.6</commons-io.version>
- <kubernetes.version>12.0.1</kubernetes.version>
+ <kubernetes.version>13.0.0</kubernetes.version>
<hikaricp.version>3.1.0</hikaricp.version>
<zipkin.version>2.9.1</zipkin.version>
<jackson-core.version>2.12.2</jackson-core.version>
diff --git a/tools/dependencies/known-oap-backend-dependencies-es7.txt b/tools/dependencies/known-oap-backend-dependencies-es7.txt
index 8f2c7b6..d6a3530 100755
--- a/tools/dependencies/known-oap-backend-dependencies-es7.txt
+++ b/tools/dependencies/known-oap-backend-dependencies-es7.txt
@@ -8,17 +8,18 @@ aopalliance-1.0.jar
apollo-client-1.8.0.jar
apollo-core-1.8.0.jar
audience-annotations-0.5.0.jar
-bcpkix-jdk15on-1.68.jar
-bcprov-ext-jdk15on-1.68.jar
-bcprov-jdk15on-1.68.jar
+bcpkix-jdk15on-1.69.jar
+bcprov-ext-jdk15on-1.69.jar
+bcprov-jdk15on-1.69.jar
+bcutil-jdk15on-1.69.jar
checker-qual-2.8.1.jar
-client-java-12.0.1.jar
-client-java-api-12.0.1.jar
-client-java-proto-12.0.1.jar
+client-java-13.0.0.jar
+client-java-api-13.0.0.jar
+client-java-proto-13.0.0.jar
commons-beanutils-1.9.4.jar
commons-codec-1.11.jar
commons-collections4-4.4.jar
-commons-compress-1.20.jar
+commons-compress-1.21.jar
commons-dbcp-1.4.jar
commons-io-2.6.jar
commons-lang3-3.12.0.jar
@@ -95,7 +96,7 @@ jetty-util-ajax-9.4.40.v20210413.jar
jna-5.5.0.jar
joda-time-2.10.5.jar
jopt-simple-4.6.jar
-jose4j-0.7.6.jar
+jose4j-0.7.8.jar
jsr305-3.0.2.jar
kafka-clients-2.4.1.jar
kotlin-reflect-1.1.1.jar
@@ -158,7 +159,7 @@ s2-geometry-library-java-1.0.0.jar
simpleclient-0.6.0.jar
simpleclient_common-0.6.0.jar
simpleclient_hotspot-0.6.0.jar
-simpleclient_httpserver-0.10.0.jar
+simpleclient_httpserver-0.11.0.jar
slf4j-api-1.7.30.jar
snakeyaml-1.28.jar
snappy-java-1.1.7.3.jar
diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt
index 9dcd63e..682bad1 100755
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -8,17 +8,18 @@ aopalliance-1.0.jar
apollo-client-1.8.0.jar
apollo-core-1.8.0.jar
audience-annotations-0.5.0.jar
-bcpkix-jdk15on-1.68.jar
-bcprov-ext-jdk15on-1.68.jar
-bcprov-jdk15on-1.68.jar
+bcpkix-jdk15on-1.69.jar
+bcprov-ext-jdk15on-1.69.jar
+bcprov-jdk15on-1.69.jar
+bcutil-jdk15on-1.69.jar
checker-qual-2.8.1.jar
-client-java-12.0.1.jar
-client-java-api-12.0.1.jar
-client-java-proto-12.0.1.jar
+client-java-13.0.0.jar
+client-java-api-13.0.0.jar
+client-java-proto-13.0.0.jar
commons-beanutils-1.9.4.jar
commons-codec-1.11.jar
commons-collections4-4.4.jar
-commons-compress-1.20.jar
+commons-compress-1.21.jar
commons-dbcp-1.4.jar
commons-io-2.6.jar
commons-lang3-3.12.0.jar
@@ -93,7 +94,7 @@ jetty-util-ajax-9.4.40.v20210413.jar
jna-4.5.1.jar
joda-time-2.10.5.jar
jopt-simple-4.6.jar
-jose4j-0.7.6.jar
+jose4j-0.7.8.jar
jsr305-3.0.2.jar
kafka-clients-2.4.1.jar
kotlin-reflect-1.1.1.jar
@@ -154,7 +155,7 @@ retrofit-2.5.0.jar
simpleclient-0.6.0.jar
simpleclient_common-0.6.0.jar
simpleclient_hotspot-0.6.0.jar
-simpleclient_httpserver-0.10.0.jar
+simpleclient_httpserver-0.11.0.jar
slf4j-api-1.7.30.jar
snakeyaml-1.28.jar
snappy-java-1.1.7.3.jar