[Security] Upgrade OkHttp3 to address CVE-2021-0341

[nicoloboschi]

Motivation

Current OkHttp3 version - 3.14.9 - has an open CVE (https://nvd.nist.gov/vuln/detail/CVE-2021-0341) with a score of 7.5.
OkHttp3 is used by Java Kubernetes Client (currently only used by Pulsar Function Worker in "kubernetes" mode)

I upgraded to the latest stable release (4.9.3) where a fix for the CVE has been committed. The OkHttp3 team claims that 3.x and 4.x are fully compatibles (at least the java library)

OkHttp 4.x is both binary- and Java source-compatible with OkHttp 3.x. You can use an OkHttp 4.x .jar file with applications or libraries built for OkHttp 3.x.

Upgrading OkHttp3 and Okio, there is a new transitive dependency - Kotlin Standard Lib (licensed under Apache 2.0)

io.kubernetes:client-java:jar:12.0.1:compile
[INFO] |  |     +- io.kubernetes:client-java-api:jar:12.0.1:compile
[INFO] |  |     |  +- com.squareup.okhttp3:okhttp:jar:4.9.3:compile
[INFO] |  |     |  |  +- com.squareup.okio:okio:jar:2.8.0:compile
[INFO] |  |     |  |  |  \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.4.32:compile
[INFO] |  |     |  |  \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.4.32:compile
[INFO] |  |     |  |     \- org.jetbrains:annotations:jar:13.0:compile
[INFO] |  |     |  +- com.squareup.okhttp3:logging-interceptor:jar:4.9.3:compile
[INFO] |  |     |  |  \- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.4.32:compile
[INFO] |  |     |  |     \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.4.32:compile

Unfortunately, the kotlin-stdlib version used by Okio and OkHttp3 has, in turn, a CVE open (https://nvd.nist.gov/vuln/detail/CVE-2020-29582); in order to not introduce another vulnerability, I've overridden the version with latest stable one (1.4.32)

Modifications

• Upgrade OkHttp3 from 3.14.9 to 4.9.3
• Upgrade Okio to the same version of OkHttp3 4.9.3
• Override Okio transitive dependency - Kotlin stdlib - to 1.4.32 in order to address CVE-2020-29582

Verifying this change

The change must be verified deploying and testing a Pulsar Function with runtime set to kubernetes. (I already performed this kind of test)

Does this pull request potentially affect one of the following parts:

If yes was chosen, please highlight the changes

• Dependencies (does it add or upgrade a dependency): (yes)
• The public API: (no)
• The schema: (no)
• The default values of configurations: (no)
• The wire protocol: (no)
• The rest endpoints: (no)
• The admin cli options: (no)
• Anything that affects deployment: (no)

Documentation

• no-need-doc

[dave2wave]

Why is a different version of okio used in this pom from the main pom?

[nicoloboschi]

this is the pom of presto-sql which is going to be moved to the presto repository (see PIP-62)

I don't want to introduce potential problems here, so I left the current version for okhttp3 and okio (for okio: I forced the same one used by okhttp3)