[Backport 2.x] Fix CVE 2023 39410 (opensearch-project#12198)

* Force version of logback-core and logback-classic to 1.2.13 (opensearch-project#11521) * force version of logback-core and logback-classic to 1.2.13 Signed-off-by: Marc Handalian <marc.handalian@gmail.com> * add changelog Signed-off-by: Marc Handalian <marc.handalian@gmail.com> --------- Signed-off-by: Marc Handalian <marc.handalian@gmail.com> Signed-off-by: Kunal Kotwani <kkotwani@amazon.com> * Bump jetty version in hdfs-fixture to 9.4.53.v20231009 (opensearch-project#11539) * Bump jetty version in hdfs-fixture to 9.4.53.v20231009 Signed-off-by: Marc Handalian <marc.handalian@gmail.com> * fix changelog Signed-off-by: Marc Handalian <marc.handalian@gmail.com> --------- Signed-off-by: Marc Handalian <marc.handalian@gmail.com> Signed-off-by: Kunal Kotwani <kkotwani@amazon.com> * Exclude apache avro version included with hadoop-minicluster (opensearch-project#11564) Signed-off-by: Marc Handalian <marc.handalian@gmail.com> Signed-off-by: Kunal Kotwani <kkotwani@amazon.com> --------- Signed-off-by: Marc Handalian <marc.handalian@gmail.com> Signed-off-by: Kunal Kotwani <kkotwani@amazon.com> Co-authored-by: Marc Handalian <handalm@amazon.com>
ansjcy · Feb 6, 2024 · bf83859 · bf83859
1 parent 40ad938
commit bf83859
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -82,6 +82,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Bump `com.gradle.enterprise` from 3.14.1 to 3.16.2 ([#11339](https://github.com/opensearch-project/OpenSearch/pull/11339), [#11629](https://github.com/opensearch-project/OpenSearch/pull/11629), [#12056](https://github.com/opensearch-project/OpenSearch/pull/12056))
 - Bump `actions/setup-java` from 3 to 4 ([#11447](https://github.com/opensearch-project/OpenSearch/pull/11447))
 - Bump `org.apache.xmlbeans:xmlbeans` from 5.1.1 to 5.2.0 ([#11448](https://github.com/opensearch-project/OpenSearch/pull/11448))
+- Bump `logback-core` and `logback-classic` to 1.2.13 ([#11521](https://github.com/opensearch-project/OpenSearch/pull/11521))
+- Bumps `jetty` version from 9.4.52.v20230823 to 9.4.53.v20231009 ([#11539](https://github.com/opensearch-project/OpenSearch/pull/11539))
 - Bump `org.apache.maven:maven-model` from 3.9.4 to 3.9.6 ([#11445](https://github.com/opensearch-project/OpenSearch/pull/11445))
 - Bump `commons-net:commons-net` from 3.9.0 to 3.10.0 ([#11450](https://github.com/opensearch-project/OpenSearch/pull/11450))
 - Bump `org.apache.zookeeper:zookeeper` from 3.9.0 to 3.9.1 ([#10506](https://github.com/opensearch-project/OpenSearch/pull/10506))

diff --git a/test/fixtures/hdfs-fixture/build.gradle b/test/fixtures/hdfs-fixture/build.gradle
@@ -33,7 +33,7 @@ apply plugin: 'opensearch.java'
 group = 'hdfs'
 
 versions << [
-  'jetty': '9.4.52.v20230823'
+  'jetty': '9.4.53.v20231009'
 ]
 
 dependencies {
@@ -47,6 +47,9 @@ dependencies {
     exclude group: "com.squareup.okhttp3"
     exclude group: "org.xerial.snappy"
     exclude module: "json-io"
+    exclude module: "logback-core"
+    exclude module: "logback-classic"
+    exclude module: "avro"
   }
   api "org.codehaus.jettison:jettison:${versions.jettison}"
   api "org.apache.commons:commons-compress:${versions.commonscompress}"
@@ -66,6 +69,8 @@ dependencies {
   api 'org.apache.zookeeper:zookeeper:3.9.1'
   api "org.apache.commons:commons-text:1.11.0"
   api "commons-net:commons-net:3.10.0"
+  api "ch.qos.logback:logback-core:1.2.13"
+  api "ch.qos.logback:logback-classic:1.2.13"
   runtimeOnly "com.google.guava:guava:${versions.guava}"
   runtimeOnly("com.squareup.okhttp3:okhttp:4.12.0") {
     exclude group: "com.squareup.okio"