From 0549a5da10be0fb0c6c24b2d4dc412d8416a71c2 Mon Sep 17 00:00:00 2001 From: Mike Ludwig Date: Fri, 11 Dec 2020 16:22:59 -0500 Subject: [PATCH] patch various CVEs --- common/scala/build.gradle | 32 ++++++++++++++++++++++++++++++++ core/invoker/build.gradle | 4 +++- settings.gradle | 3 +++ 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/common/scala/build.gradle b/common/scala/build.gradle index 82f2a8c3df5..784e53814f1 100644 --- a/common/scala/build.gradle +++ b/common/scala/build.gradle @@ -98,6 +98,38 @@ dependencies { compile ("com.azure:azure-storage-blob:12.6.0") { exclude group: "com.azure", module: "azure-core-test" } + + // https://nvd.nist.gov/vuln/detail/CVE-2015-5237 + compile "com.google.protobuf:protobuf-java:${gradle.protobuf.version}" + compile "com.google.protobuf:protobuf-java-util:${gradle.protobuf.version}" + + // https://nvd.nist.gov/vuln/detail/CVE-2017-18640 + compile "org.yaml:snakeyaml:1.27" + + // https://nvd.nist.gov/vuln/detail/CVE-2018-8023 + compile "org.apache.mesos:mesos:1.4.3" + + // https://nvd.nist.gov/vuln/detail/CVE-2018-20200 + compile "com.squareup.okhttp3:okhttp:3.12.12" + + // https://nvd.nist.gov/vuln/detail/CVE-2020-7014 + compile "org.elasticsearch.client:elasticsearch-rest-client:6.8.13" + + // https://nvd.nist.gov/vuln/detail/CVE-2020-11612 + compile "io.netty:netty-buffer:${gradle.netty.version}" + compile "io.netty:netty-handler:${gradle.netty.version}" + compile "io.netty:netty-handler-proxy:${gradle.netty.version}" + compile "io.netty:netty-codec-socks:${gradle.netty.version}" + compile "io.netty:netty-codec-http:${gradle.netty.version}" + compile "io.netty:netty-codec-http2:${gradle.netty.version}" + compile "io.netty:netty-transport-native-epoll:${gradle.netty.version}" + compile "io.netty:netty-transport-native-unix-common:${gradle.netty.version}" + + // https://nvd.nist.gov/vuln/detail/CVE-2020-13956 + compile "org.apache.httpcomponents:httpclient:4.5.13" + + // https://nvd.nist.gov/vuln/detail/CVE-2020-25649 + compile "com.fasterxml.jackson.core:jackson-databind:2.10.5.1" } configurations { diff --git a/core/invoker/build.gradle b/core/invoker/build.gradle index 1bf29845ce1..e33ffdd50b2 100644 --- a/core/invoker/build.gradle +++ b/core/invoker/build.gradle @@ -41,7 +41,9 @@ dependencies { compile ("org.apache.curator:curator-recipes:${gradle.curator.version}") { exclude group: 'org.apache.zookeeper', module:'zookeeper' } - compile ("org.apache.zookeeper:zookeeper:3.4.11") { + + // https://nvd.nist.gov/vuln/detail/CVE-2019-0201 + compile ("org.apache.zookeeper:zookeeper:3.4.14") { exclude group: 'org.slf4j' exclude group: 'log4j' exclude group: 'jline' diff --git a/settings.gradle b/settings.gradle index 4792aa9d518..ad56471fcc5 100644 --- a/settings.gradle +++ b/settings.gradle @@ -68,3 +68,6 @@ gradle.ext.akka_management = [version : '1.0.5'] gradle.ext.curator = [version : '4.0.0'] gradle.ext.kube_client = [version: '4.4.2'] + +gradle.ext.netty = [version : '4.1.55.Final'] +gradle.ext.protobuf = [version : '3.14.0']