From 6872ac332f392790688dfd971e232240bd9f4978 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicol=C3=B2=20Boschi?= Date: Wed, 13 Jul 2022 01:16:01 +0200 Subject: [PATCH] [fix][security] Upgrade to Jetty to 9.4.48.v20220622 to get rid of CVE-2022-2047 (#16520) * [fix][security] Upgrade to Jetty to 9.4.48.v20220622 to get rid of CVE-2022-2047 * suppress CVE-2022-2191 - false positive * Revert "suppress CVE-2022-2191 - false positive" This reverts commit ab4601f43093c88ae97b03af9d90518fea174768. --- .../server/src/assemble/LICENSE.bin.txt | 38 +++++++++---------- pom.xml | 2 +- pulsar-sql/presto-distribution/LICENSE | 32 ++++++++-------- 3 files changed, 36 insertions(+), 36 deletions(-) diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index a543a9017bcde..ba3b7aa05d8ec 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -429,25 +429,25 @@ The Apache Software License, Version 2.0 - org.asynchttpclient-async-http-client-2.12.1.jar - org.asynchttpclient-async-http-client-netty-utils-2.12.1.jar * Jetty - - org.eclipse.jetty-jetty-client-9.4.44.v20210927.jar - - org.eclipse.jetty-jetty-continuation-9.4.44.v20210927.jar - - org.eclipse.jetty-jetty-http-9.4.44.v20210927.jar - - org.eclipse.jetty-jetty-io-9.4.44.v20210927.jar - - org.eclipse.jetty-jetty-proxy-9.4.44.v20210927.jar - - org.eclipse.jetty-jetty-security-9.4.44.v20210927.jar - - org.eclipse.jetty-jetty-server-9.4.44.v20210927.jar - - org.eclipse.jetty-jetty-servlet-9.4.44.v20210927.jar - - org.eclipse.jetty-jetty-servlets-9.4.44.v20210927.jar - - org.eclipse.jetty-jetty-util-9.4.44.v20210927.jar - - org.eclipse.jetty-jetty-util-ajax-9.4.44.v20210927.jar - - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.44.v20210927.jar - - org.eclipse.jetty.websocket-websocket-api-9.4.44.v20210927.jar - - org.eclipse.jetty.websocket-websocket-client-9.4.44.v20210927.jar - - org.eclipse.jetty.websocket-websocket-common-9.4.44.v20210927.jar - - org.eclipse.jetty.websocket-websocket-server-9.4.44.v20210927.jar - - org.eclipse.jetty.websocket-websocket-servlet-9.4.44.v20210927.jar - - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.44.v20210927.jar - - org.eclipse.jetty-jetty-alpn-server-9.4.44.v20210927.jar + - org.eclipse.jetty-jetty-client-9.4.48.v20220622.jar + - org.eclipse.jetty-jetty-continuation-9.4.48.v20220622.jar + - org.eclipse.jetty-jetty-http-9.4.48.v20220622.jar + - org.eclipse.jetty-jetty-io-9.4.48.v20220622.jar + - org.eclipse.jetty-jetty-proxy-9.4.48.v20220622.jar + - org.eclipse.jetty-jetty-security-9.4.48.v20220622.jar + - org.eclipse.jetty-jetty-server-9.4.48.v20220622.jar + - org.eclipse.jetty-jetty-servlet-9.4.48.v20220622.jar + - org.eclipse.jetty-jetty-servlets-9.4.48.v20220622.jar + - org.eclipse.jetty-jetty-util-9.4.48.v20220622.jar + - org.eclipse.jetty-jetty-util-ajax-9.4.48.v20220622.jar + - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.48.v20220622.jar + - org.eclipse.jetty.websocket-websocket-api-9.4.48.v20220622.jar + - org.eclipse.jetty.websocket-websocket-client-9.4.48.v20220622.jar + - org.eclipse.jetty.websocket-websocket-common-9.4.48.v20220622.jar + - org.eclipse.jetty.websocket-websocket-server-9.4.48.v20220622.jar + - org.eclipse.jetty.websocket-websocket-servlet-9.4.48.v20220622.jar + - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.48.v20220622.jar + - org.eclipse.jetty-jetty-alpn-server-9.4.48.v20220622.jar * SnakeYaml -- org.yaml-snakeyaml-1.30.jar * RocksDB - org.rocksdb-rocksdbjni-6.29.4.1.jar * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.5.1.jar diff --git a/pom.xml b/pom.xml index 10be5ffb4d98d..a7fb7680e89ea 100644 --- a/pom.xml +++ b/pom.xml @@ -122,7 +122,7 @@ flexible messaging model and an intuitive client API. 5.1.0 4.1.77.Final 2.0.52.Final - 9.4.44.v20210927 + 9.4.48.v20220622 2.5.2 2.34 1.10.50 diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE index b53b999ce764a..7a07543640c1b 100644 --- a/pulsar-sql/presto-distribution/LICENSE +++ b/pulsar-sql/presto-distribution/LICENSE @@ -274,22 +274,22 @@ The Apache Software License, Version 2.0 - joda-time-2.10.5.jar - failsafe-2.4.4.jar * Jetty - - http2-client-9.4.44.v20210927.jar - - http2-common-9.4.44.v20210927.jar - - http2-hpack-9.4.44.v20210927.jar - - http2-http-client-transport-9.4.44.v20210927.jar - - jetty-alpn-client-9.4.44.v20210927.jar - - http2-server-9.4.44.v20210927.jar - - jetty-alpn-java-client-9.4.44.v20210927.jar - - jetty-client-9.4.44.v20210927.jar - - jetty-http-9.4.44.v20210927.jar - - jetty-io-9.4.44.v20210927.jar - - jetty-jmx-9.4.44.v20210927.jar - - jetty-security-9.4.44.v20210927.jar - - jetty-server-9.4.44.v20210927.jar - - jetty-servlet-9.4.44.v20210927.jar - - jetty-util-9.4.44.v20210927.jar - - jetty-util-ajax-9.4.44.v20210927.jar + - http2-client-9.4.48.v20220622.jar + - http2-common-9.4.48.v20220622.jar + - http2-hpack-9.4.48.v20220622.jar + - http2-http-client-transport-9.4.48.v20220622.jar + - jetty-alpn-client-9.4.48.v20220622.jar + - http2-server-9.4.48.v20220622.jar + - jetty-alpn-java-client-9.4.48.v20220622.jar + - jetty-client-9.4.48.v20220622.jar + - jetty-http-9.4.48.v20220622.jar + - jetty-io-9.4.48.v20220622.jar + - jetty-jmx-9.4.48.v20220622.jar + - jetty-security-9.4.48.v20220622.jar + - jetty-server-9.4.48.v20220622.jar + - jetty-servlet-9.4.48.v20220622.jar + - jetty-util-9.4.48.v20220622.jar + - jetty-util-ajax-9.4.48.v20220622.jar * Apache BVal - bval-jsr-2.0.0.jar * Bytecode