Upgrade to kubernetes client-java to 19.0.3

[habelson]

In spring-cloud-kubernetes-client-config, dependencies protobuf (CVE-2024-7254) and jose4j (CVE-2023-51775) have DOS CVE's associated with them from io.kubernetes:client-java:19.0.2

It appears the latest release of 3.3.0 is still using 19.0.2 of the client-java library

This issue is corrected in versions greater than 19.0.2 of client-java

[ryanjbaxter]

We cannot move to 20.0.x in the 3.3.x branch, it would be considered a breaking change.

I can try and submit some PRs to update the dependencies in the 19.0.x branch but then the kubernetes java client would need to do a release. I can see what I can do, but for now you can update the protobuf and jose4j dependencies in your application to versions that don't have the CVEs to work around the problem

[ryanjbaxter]

Here are two PRs that would address this in the 19.0.x branch

kubernetes-client/java#4077
kubernetes-client/java#4076

[habelson]

@ryanjbaxter as a request. if they do roll a new release for 19.x with your changes, is it possible to include that also in the 2024 (3.2.x) train?

[ryanjbaxter]

Yup!

[ryanjbaxter]

Fixed in #1926