[Security] Upgrade OkHttp3 to address CVE-2021-0341 (apache#13065)

* Upgrade OkHttp3 from 3.14.9 to 4.9.3 * Upgrade Okio to the same version of OkHttp3 4.9.3 * Override Okio transitive dependency - Kotlin stdlib - to 1.4.32 in order to address CVE-2020-29582
fxbing · Dec 19, 2021 · e6cd5f3 · e6cd5f3
1 parent 5afaa0e
commit e6cd5f3
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 6 deletions.
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -446,12 +446,18 @@ The Apache Software License, Version 2.0
  * SnakeYaml -- org.yaml-snakeyaml-1.27.jar
  * RocksDB - org.rocksdb-rocksdbjni-6.10.2.jar
  * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.5.1.jar
- * Apache Thrifth - org.apache.thrift-libthrift-0.14.2.jar
+ * Apache Thrift - org.apache.thrift-libthrift-0.14.2.jar
  * OkHttp3
-     - com.squareup.okhttp3-logging-interceptor-3.14.9.jar
-     - com.squareup.okhttp3-okhttp-3.14.9.jar
- * Okio - com.squareup.okio-okio-1.17.2.jar
+     - com.squareup.okhttp3-logging-interceptor-4.9.3.jar
+     - com.squareup.okhttp3-okhttp-4.9.3.jar
+ * Okio - com.squareup.okio-okio-2.8.0.jar
  * Javassist -- org.javassist-javassist-3.25.0-GA.jar
+ * Kotlin Standard Lib
+     - org.jetbrains.kotlin-kotlin-stdlib-1.4.32.jar
+     - org.jetbrains.kotlin-kotlin-stdlib-common-1.4.32.jar
+     - org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.4.32.jar
+     - org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.4.32.jar
+     - org.jetbrains-annotations-13.0.jar
  * gRPC
     - io.grpc-grpc-all-1.33.0.jar
     - io.grpc-grpc-auth-1.33.0.jar

diff --git a/pom.xml b/pom.xml
@@ -192,9 +192,11 @@ flexible messaging model and an intuitive client API.</description>
     <jakarta.validation.version>2.0.2</jakarta.validation.version>
     <jna.version>4.2.0</jna.version>
     <kubernetesclient.version>12.0.1</kubernetesclient.version>
-    <okhttp3.version>3.14.9</okhttp3.version>
+    <okhttp3.version>4.9.3</okhttp3.version>
     <!-- use okio version that matches the okhttp3 version -->
-    <okio.version>1.17.2</okio.version>
+    <okio.version>2.8.0</okio.version>
+    <!-- override kotlin-stdlib used by okio in order to address CVE-2020-29582 -->
+    <kotlin-stdlib.version>1.4.32</kotlin-stdlib.version>
     <nsq-client.version>1.0</nsq-client.version>
     <cron-utils.version>9.1.3</cron-utils.version>
     <spring-context.version>5.3.1</spring-context.version>
@@ -1187,12 +1189,35 @@ flexible messaging model and an intuitive client API.</description>
         <artifactId>okhttp-urlconnection</artifactId>
         <version>${okhttp3.version}</version>
       </dependency>
+      <dependency>
+        <groupId>com.squareup.okhttp3</groupId>
+        <artifactId>logging-interceptor</artifactId>
+        <version>${okhttp3.version}</version>
+      </dependency>
       <dependency>
         <groupId>com.squareup.okio</groupId>
         <artifactId>okio</artifactId>
         <version>${okio.version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>org.jetbrains.kotlin</groupId>
+        <artifactId>kotlin-stdlib</artifactId>
+        <version>${kotlin-stdlib.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.jetbrains.kotlin</groupId>
+        <artifactId>kotlin-stdlib-common</artifactId>
+        <version>${kotlin-stdlib.version}</version>
+      </dependency>
+
+      <dependency>
+        <groupId>org.jetbrains.kotlin</groupId>
+        <artifactId>kotlin-stdlib-jdk8</artifactId>
+        <version>${kotlin-stdlib.version}</version>
+      </dependency>
+
+
     </dependencies>
   </dependencyManagement>
 

diff --git a/pulsar-sql/pom.xml b/pulsar-sql/pom.xml
@@ -37,6 +37,13 @@
         <module>presto-distribution</module>
     </modules>
 
+    <properties>
+        <!-- keep using okhttp3 3.x for Presto -->
+        <okhttp3.version>3.14.9</okhttp3.version>
+        <!-- use okio version that matches the okhttp3 version -->
+        <okio.version>1.17.2</okio.version>
+    </properties>
+
     <dependencyManagement>
         <dependencies>
             <dependency>
@@ -104,6 +111,28 @@
                 <artifactId>jackson-datatype-jsr310</artifactId>
                 <version>${jackson.version}</version>
             </dependency>
+
+            <!-- keep using okhttp3 3.x for Presto -->
+            <dependency>
+                <groupId>com.squareup.okhttp3</groupId>
+                <artifactId>okhttp</artifactId>
+                <version>${okhttp3.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.squareup.okhttp3</groupId>
+                <artifactId>okhttp-urlconnection</artifactId>
+                <version>${okhttp3.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.squareup.okhttp3</groupId>
+                <artifactId>logging-interceptor</artifactId>
+                <version>${okhttp3.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.squareup.okio</groupId>
+                <artifactId>okio</artifactId>
+                <version>${okio.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>