[fix][sec] Upgrade async-http-client to 2.12.4 to address CVE-2024-53990

(apache#23732) (cherry picked from commit 9a7269a) (cherry picked from commit 9c04964)
datastax · Dec 23, 2024 · 41eb828 · 41eb828
1 parent a494df5
commit 41eb828
Show file tree

Hide file tree

Showing 12 changed files with 18 additions and 25 deletions.
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -379,8 +379,8 @@ The Apache Software License, Version 2.0
  * AirCompressor
     - io.airlift-aircompressor-0.27.jar
  * AsyncHttpClient
-    - org.asynchttpclient-async-http-client-2.12.1.jar
-    - org.asynchttpclient-async-http-client-netty-utils-2.12.1.jar
+    - org.asynchttpclient-async-http-client-2.12.4.jar
+    - org.asynchttpclient-async-http-client-netty-utils-2.12.4.jar
  * Jetty
     - org.eclipse.jetty-jetty-client-9.4.56.v20240826.jar
     - org.eclipse.jetty-jetty-continuation-9.4.56.v20240826.jar
@@ -533,7 +533,7 @@ Protocol Buffers License
 
 CDDL-1.1 -- ../licenses/LICENSE-CDDL-1.1.txt
  * Java Annotations API
-    - com.sun.activation-javax.activation-1.2.0.jar
+    - com.sun.activation-jakarta.activation-1.2.2.jar
  * Java Servlet API -- javax.servlet-javax.servlet-api-3.1.0.jar
  * WebSocket Server API -- javax.websocket-javax.websocket-client-api-1.0.jar
  * HK2 - Dependency Injection Kernel

diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt b/distribution/shell/src/assemble/LICENSE.bin.txt
@@ -392,8 +392,8 @@ The Apache Software License, Version 2.0
   * AirCompressor
      - aircompressor-0.27.jar
  * AsyncHttpClient
-    - async-http-client-2.12.1.jar
-    - async-http-client-netty-utils-2.12.1.jar
+    - async-http-client-2.12.4.jar
+    - async-http-client-netty-utils-2.12.4.jar
  * Jetty
     - jetty-client-9.4.56.v20240826.jar
     - jetty-http-9.4.56.v20240826.jar
@@ -423,7 +423,7 @@ MIT License
 
 CDDL-1.1 -- ../licenses/LICENSE-CDDL-1.1.txt
  * Java Annotations API
-    - javax.activation-1.2.0.jar
+    - jakarta.activation-1.2.2.jar
  * WebSocket Server API -- javax.websocket-client-api-1.0.jar
  * HK2 - Dependency Injection Kernel
     - hk2-api-2.6.1.jar

diff --git a/pom.xml b/pom.xml
@@ -212,7 +212,7 @@ flexible messaging model and an intuitive client API.</description>
     <prometheus-jmx.version>0.16.1</prometheus-jmx.version>
     <confluent.version>6.2.8</confluent.version>
     <aircompressor.version>0.27</aircompressor.version>
-    <asynchttpclient.version>2.12.1</asynchttpclient.version>
+    <asynchttpclient.version>2.12.4</asynchttpclient.version>
     <jcommander.version>1.82</jcommander.version>
     <commons-lang3.version>3.11</commons-lang3.version>
     <commons-configuration.version>1.10</commons-configuration.version>
@@ -231,7 +231,6 @@ flexible messaging model and an intuitive client API.</description>
     <lombok.version>1.18.32</lombok.version>
     <jakarta.annotation-api.version>1.3.5</jakarta.annotation-api.version>
     <jaxb-api>2.3.1</jaxb-api>
-    <javax.activation.version>1.2.0</javax.activation.version>
     <jakarta.activation.version>1.2.2</jakarta.activation.version>
     <jakarta.xml.bind.version>2.3.3</jakarta.xml.bind.version>
     <jakarta.validation.version>2.0.2</jakarta.validation.version>
@@ -1336,12 +1335,6 @@ flexible messaging model and an intuitive client API.</description>
         <version>${jakarta.xml.bind.version}</version>
       </dependency>
 
-      <dependency>
-        <groupId>com.sun.activation</groupId>
-        <artifactId>javax.activation</artifactId>
-        <version>${javax.activation.version}</version>
-      </dependency>
-
       <dependency>
         <groupId>com.sun.activation</groupId>
         <artifactId>jakarta.activation</artifactId>

diff --git a/pulsar-broker/pom.xml b/pulsar-broker/pom.xml
@@ -428,7 +428,7 @@
 
     <dependency>
       <groupId>com.sun.activation</groupId>
-      <artifactId>javax.activation</artifactId>
+      <artifactId>jakarta.activation</artifactId>
     </dependency>
 
     <dependency>

diff --git a/pulsar-client-admin-shaded/pom.xml b/pulsar-client-admin-shaded/pom.xml
@@ -111,7 +111,7 @@
                   <include>com.google.guava:guava</include>
                   <include>com.spotify:completable-futures</include>
                   <include>com.squareup.*:*</include>
-                  <include>com.sun.activation:javax.activation</include>
+                  <include>com.sun.activation:jakarta.activation</include>
                   <include>com.typesafe.netty:netty-reactive-streams</include>
                   <include>com.yahoo.datasketches:*</include>
                   <include>com.yahoo.datasketches:sketches-core</include>

diff --git a/pulsar-client-admin/pom.xml b/pulsar-client-admin/pom.xml
@@ -88,7 +88,7 @@
     </dependency>
     <dependency>
       <groupId>com.sun.activation</groupId>
-      <artifactId>javax.activation</artifactId>
+      <artifactId>jakarta.activation</artifactId>
       <scope>runtime</scope>
     </dependency>
 

diff --git a/pulsar-client-all/pom.xml b/pulsar-client-all/pom.xml
@@ -152,7 +152,7 @@
                   <include>com.google.j2objc:*</include>
                   <include>com.spotify:completable-futures</include>
                   <include>com.squareup.*:*</include>
-                  <include>com.sun.activation:javax.activation</include>
+                  <include>com.sun.activation:jakarta.activation</include>
                   <!-- Avro transitive dependencies -->
                   <include>com.thoughtworks.paranamer:paranamer</include>
                   <include>com.typesafe.netty:netty-reactive-streams</include>

diff --git a/pulsar-client-shaded/pom.xml b/pulsar-client-shaded/pom.xml
@@ -126,7 +126,7 @@
                   <include>com.google.guava:*</include>
                   <include>com.google.j2objc:*</include>
                   <include>com.spotify:completable-futures</include>
-                  <include>com.sun.activation:javax.activation</include>
+                  <include>com.sun.activation:jakarta.activation</include>
                   <!-- Avro transitive dependencies -->
                   <include>com.thoughtworks.paranamer:paranamer</include>
                   <include>com.typesafe.netty:netty-reactive-streams</include>

diff --git a/pulsar-proxy/pom.xml b/pulsar-proxy/pom.xml
@@ -134,7 +134,7 @@
 
     <dependency>
       <groupId>com.sun.activation</groupId>
-      <artifactId>javax.activation</artifactId>
+      <artifactId>jakarta.activation</artifactId>
     </dependency>
 
     <dependency>

diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
@@ -421,8 +421,8 @@ The Apache Software License, Version 2.0
   * JCTools
     - jctools-core-2.1.2.jar
   * Asynchronous Http Client
-    - async-http-client-2.12.1.jar
-    - async-http-client-netty-utils-2.12.1.jar
+    - async-http-client-2.12.4.jar
+    - async-http-client-netty-utils-2.12.4.jar
   * Apache Bookkeeper
     - bookkeeper-common-4.16.6.jar
     - bookkeeper-common-allocator-4.16.6.jar
@@ -527,7 +527,7 @@ CDDL - 1.0
 
 CDDL-1.1 -- licenses/LICENSE-CDDL-1.1.txt
  * Java Annotations API
-   - javax.activation-1.2.0.jar
+   - jakarta.activation-1.2.2.jar
    - javax.activation-api-1.2.0.jar
  * HK2 - Dependency Injection Kernel
    - hk2-api-2.6.1.jar

diff --git a/pulsar-sql/presto-distribution/pom.xml b/pulsar-sql/presto-distribution/pom.xml
@@ -38,7 +38,7 @@
     <objectsize.version>0.0.12</objectsize.version>
     <maven.version>3.0.5</maven.version>
     <guava.version>32.1.1-jre</guava.version>
-    <asynchttpclient.version>2.12.1</asynchttpclient.version>
+    <asynchttpclient.version>2.12.4</asynchttpclient.version>
     <errorprone.version>2.5.1</errorprone.version>
     <javax.servlet-api>4.0.1</javax.servlet-api>
   </properties>

diff --git a/tiered-storage/jcloud/pom.xml b/tiered-storage/jcloud/pom.xml
@@ -118,7 +118,7 @@
 
     <dependency>
       <groupId>com.sun.activation</groupId>
-      <artifactId>javax.activation</artifactId>
+      <artifactId>jakarta.activation</artifactId>
       <scope>runtime</scope>
     </dependency>