Skip to content

Commit b8cc1fb

Browse files
author
ZhangJian He
authored
Override OkHttp Version in Otel to Fix CVE-2023-3635 (#4400)
Signed-off-by: ZhangJian He <shoothzj@gmail.com>
1 parent 3ab5759 commit b8cc1fb

File tree

3 files changed

+45
-18
lines changed

3 files changed

+45
-18
lines changed

bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -324,9 +324,9 @@ Apache Software License, Version 2.
324324
- lib/io.reactivex.rxjava3-rxjava-3.0.1.jar [51]
325325
- lib/org.hdrhistogram-HdrHistogram-2.1.10.jar [52]
326326
- lib/com.carrotsearch-hppc-0.9.1.jar [53]
327-
- lib/com.squareup.okhttp3-okhttp-4.11.0.jar [54]
328-
- lib/com.squareup.okio-okio-3.2.0.jar [54]
329-
- lib/com.squareup.okio-okio-jvm-3.2.0.jar [54]
327+
- lib/com.squareup.okhttp3-okhttp-4.12.0.jar [54]
328+
- lib/com.squareup.okio-okio-3.6.0.jar [54]
329+
- lib/com.squareup.okio-okio-jvm-3.6.0.jar [54]
330330
- lib/io.opentelemetry-opentelemetry-api-1.26.0.jar [55]
331331
- lib/io.opentelemetry-opentelemetry-api-events-1.26.0-alpha.jar [55]
332332
- lib/io.opentelemetry-opentelemetry-api-logs-1.26.0-alpha.jar [55]
@@ -348,10 +348,10 @@ Apache Software License, Version 2.
348348
- lib/io.opentelemetry.instrumentation-opentelemetry-instrumentation-api-semconv-1.26.0-alpha.jar [55]
349349
- lib/io.opentelemetry.instrumentation-opentelemetry-runtime-metrics-1.26.0-alpha.jar [54]
350350
- lib/org.jetbrains-annotations-13.0.jar [56]
351-
- lib/org.jetbrains.kotlin-kotlin-stdlib-1.6.20.jar [56]
352-
- lib/org.jetbrains.kotlin-kotlin-stdlib-common-1.6.20.jar [56]
353-
- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.6.20.jar [56]
354-
- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.6.20.jar [56]
351+
- lib/org.jetbrains.kotlin-kotlin-stdlib-1.8.21.jar [56]
352+
- lib/org.jetbrains.kotlin-kotlin-stdlib-common-1.8.21.jar [56]
353+
- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.8.21.jar [56]
354+
- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.8.21.jar [56]
355355
- lib/com.lmax-disruptor-4.0.0.jar [57]
356356

357357
[1] Source available at https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.17.1
@@ -402,9 +402,9 @@ Apache Software License, Version 2.
402402
[51] Source available at https://github.com/ReactiveX/RxJava/tree/v3.0.1
403403
[52] Source available at https://github.com/HdrHistogram/HdrHistogram/tree/HdrHistogram-2.1.10
404404
[53] Source available at https://github.com/carrotsearch/hppc/tree/0.9.1
405-
[54] Source available at https://github.com/square/okio/releases/tag/parent-3.2.0
405+
[54] Source available at https://github.com/square/okio/releases/tag/parent-3.6.0
406406
[55] Source available at https://github.com/open-telemetry/opentelemetry-java/releases/tag/v1.26.0
407-
[56] Source available at https://github.com/JetBrains/kotlin/releases/tag/v1.6.20
407+
[56] Source available at https://github.com/JetBrains/kotlin/releases/tag/v1.8.21
408408
[57] Source available at https://github.com/LMAX-Exchange/disruptor/releases/tag/4.0.0
409409

410410
------------------------------------------------------------------------------------

bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -320,9 +320,9 @@ Apache Software License, Version 2.
320320
- lib/org.xerial.snappy-snappy-java-1.1.10.5.jar [50]
321321
- lib/io.reactivex.rxjava3-rxjava-3.0.1.jar [51]
322322
- lib/com.carrotsearch-hppc-0.9.1.jar [52]
323-
- lib/com.squareup.okhttp3-okhttp-4.11.0.jar [53]
324-
- lib/com.squareup.okio-okio-3.2.0.jar [53]
325-
- lib/com.squareup.okio-okio-jvm-3.2.0.jar [53]
323+
- lib/com.squareup.okhttp3-okhttp-4.12.0.jar [53]
324+
- lib/com.squareup.okio-okio-3.6.0.jar [53]
325+
- lib/com.squareup.okio-okio-jvm-3.6.0.jar [53]
326326
- lib/io.opentelemetry-opentelemetry-api-1.26.0.jar [54]
327327
- lib/io.opentelemetry-opentelemetry-api-events-1.26.0-alpha.jar [54]
328328
- lib/io.opentelemetry-opentelemetry-api-logs-1.26.0-alpha.jar [54]
@@ -344,10 +344,10 @@ Apache Software License, Version 2.
344344
- lib/io.opentelemetry.instrumentation-opentelemetry-instrumentation-api-semconv-1.26.0-alpha.jar [54]
345345
- lib/io.opentelemetry.instrumentation-opentelemetry-runtime-metrics-1.26.0-alpha.jar [54]
346346
- lib/org.jetbrains-annotations-13.0.jar [55]
347-
- lib/org.jetbrains.kotlin-kotlin-stdlib-1.6.20.jar [55]
348-
- lib/org.jetbrains.kotlin-kotlin-stdlib-common-1.6.20.jar [55]
349-
- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.6.20.jar [55]
350-
- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.6.20.jar [55]
347+
- lib/org.jetbrains.kotlin-kotlin-stdlib-1.8.21.jar [55]
348+
- lib/org.jetbrains.kotlin-kotlin-stdlib-common-1.8.21.jar [55]
349+
- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.8.21.jar [55]
350+
- lib/org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.8.21.jar [55]
351351
- lib/com.lmax-disruptor-4.0.0.jar [56]
352352

353353
[1] Source available at https://github.com/FasterXML/jackson-annotations/tree/jackson-annotations-2.17.1
@@ -397,9 +397,9 @@ Apache Software License, Version 2.
397397
[50] Source available at https://github.com/xerial/snappy-java/releases/tag/v1.1.10.5
398398
[51] Source available at https://github.com/ReactiveX/RxJava/tree/v3.0.1
399399
[52] Source available at https://github.com/carrotsearch/hppc/tree/0.9.1
400-
[53] Source available at https://github.com/square/okio/releases/tag/parent-3.2.0
400+
[53] Source available at https://github.com/square/okio/releases/tag/parent-3.6.0
401401
[54] Source available at https://github.com/open-telemetry/opentelemetry-java/releases/tag/v1.26.0
402-
[55] Source available at https://github.com/JetBrains/kotlin/releases/tag/v1.6.20
402+
[55] Source available at https://github.com/JetBrains/kotlin/releases/tag/v1.8.21
403403
[56] Source available at https://github.com/LMAX-Exchange/disruptor/releases/tag/4.0.0
404404

405405
------------------------------------------------------------------------------------

pom.xml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -413,6 +413,21 @@
413413
<scope>import</scope>
414414
</dependency>
415415

416+
<!-- override otel's okhttp 4.11.0 for now, wait for otel update -->
417+
<dependency>
418+
<groupId>com.squareup.okhttp3</groupId>
419+
<artifactId>okhttp-bom</artifactId>
420+
<version>4.12.0</version>
421+
<type>pom</type>
422+
<scope>import</scope>
423+
</dependency>
424+
<!-- okhttp 4.12.0 use kotlin stdlib 1.8.21 -->
425+
<dependency>
426+
<groupId>org.jetbrains.kotlin</groupId>
427+
<artifactId>kotlin-stdlib-common</artifactId>
428+
<version>1.8.21</version>
429+
</dependency>
430+
416431
<!-- rocksdb dependencies -->
417432
<dependency>
418433
<groupId>org.rocksdb</groupId>
@@ -1119,6 +1134,18 @@
11191134
</execution>
11201135
</executions>
11211136
</plugin>
1137+
<!-- skip maven source plugin due to
1138+
Error: Failed to execute goal org.apache.maven.plugins:maven-source-plugin:3.3.0:jar-no-fork (attach-sources) on project buildtools:
1139+
Presumably you have configured maven-source-plugin to execute twice times in your build.
1140+
You have to configure a classifier for at least on of them.
1141+
-->
1142+
<plugin>
1143+
<groupId>org.apache.maven.plugins</groupId>
1144+
<artifactId>maven-source-plugin</artifactId>
1145+
<configuration>
1146+
<skipSource>true</skipSource>
1147+
</configuration>
1148+
</plugin>
11221149
</plugins>
11231150
</build>
11241151
</profile>

0 commit comments

Comments
 (0)