Bump up Jetty version to fix cve (#6861)

b850e5c6 · Zhenxu Ke · GitHub · ea0390e4 · b850e5c6 · b850e5c6
5 changed file
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -27,6 +27,7 @@ Release Notes.
 * Support alarm tags.
 * Support WeLink as a channel of alarm notification.
 * Fix: Some defensive codes didn't work in `PercentileFunction combine`.
+* CVE: fix Jetty vulnerability. https://nvd.nist.gov/vuln/detail/CVE-2019-17638
 #### UI
 * Add logo for kong plugin.

--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -246,7 +246,7 @@ The text of each license is the standard Apache 2.0 license.
    transport 5.5.0: https://github.com/elastic/elasticsearch/tree/master/client/transport , Apache 2.0
    securesm 1.1: https://github.com/elastic/securesm/blob/master/pom.xml , Apache 2.0
    LMAX Ltd.(disruptor) 3.3.6: https://github.com/LMAX-Exchange/disruptor , Apache 2.0
-    Eclipse (Jetty) 9.4.28.v20200408: https://www.eclipse.org/jetty/ , Apache 2.0 and Eclipse Public License 1.0
+    Eclipse (Jetty) 9.4.40.v20210413: https://www.eclipse.org/jetty/ , Apache 2.0 and Eclipse Public License 1.0
    SnakeYAML 1.18: http://www.snakeyaml.org , Apache 2.0
    Joda-Time 2.10.5: http://www.joda.org/joda-time/ , Apache 2.0
    Joda-Convert 2.2.1: http://www.joda.org/joda-convert/ , Apache 2.0

--- a/oap-server/pom.xml
+++ b/oap-server/pom.xml
@@ -62,7 +62,7 @@
        <graphql-java.version>8.0</graphql-java.version>
        <zookeeper.version>3.4.10</zookeeper.version>
        <netty-tcnative-boringssl-static.version>2.0.26.Final</netty-tcnative-boringssl-static.version>
-        <jetty.version>9.4.28.v20200408</jetty.version>
+        <jetty.version>9.4.40.v20210413</jetty.version>
        <h2.version>1.4.196</h2.version>
        <commons-dbcp.version>1.4</commons-dbcp.version>
        <commons-io.version>2.6</commons-io.version>

--- a/tools/dependencies/known-oap-backend-dependencies-es7.txt
+++ b/tools/dependencies/known-oap-backend-dependencies-es7.txt
@@ -86,12 +86,13 @@ javassist-3.25.0-GA.jar
 javax.inject-1.jar
 javax.servlet-api-3.1.0.jar
 jcl-over-slf4j-1.7.25.jar
-jetty-http-9.4.28.v20200408.jar
+jetty-http-9.4.40.v20210413.jar
-jetty-io-9.4.28.v20200408.jar
+jetty-io-9.4.40.v20210413.jar
-jetty-security-9.4.28.v20200408.jar
+jetty-security-9.4.40.v20210413.jar
-jetty-server-9.4.28.v20200408.jar
+jetty-server-9.4.40.v20210413.jar
-jetty-servlet-9.4.28.v20200408.jar
+jetty-servlet-9.4.40.v20210413.jar
-jetty-util-9.4.28.v20200408.jar
+jetty-util-9.4.40.v20210413.jar
+jetty-util-ajax-9.4.40.v20210413.jar
 jline-0.9.94.jar
 jna-4.5.1.jar
 joda-convert-2.2.1.jar
@@ -174,4 +175,4 @@ snappy-java-1.1.7.3.jar
 zstd-jni-1.4.3-1.jar
 mvel2-2.4.8.Final.jar
 commons-beanutils-1.9.4.jar
 postgresql-42.2.18.jar
\ No newline at end of file
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -80,12 +80,13 @@ javassist-3.25.0-GA.jar
 javax.inject-1.jar
 javax.servlet-api-3.1.0.jar
 jcl-over-slf4j-1.7.25.jar
-jetty-http-9.4.28.v20200408.jar
+jetty-http-9.4.40.v20210413.jar
-jetty-io-9.4.28.v20200408.jar
+jetty-io-9.4.40.v20210413.jar
-jetty-security-9.4.28.v20200408.jar
+jetty-security-9.4.40.v20210413.jar
-jetty-server-9.4.28.v20200408.jar
+jetty-server-9.4.40.v20210413.jar
-jetty-servlet-9.4.28.v20200408.jar
+jetty-servlet-9.4.40.v20210413.jar
-jetty-util-9.4.28.v20200408.jar
+jetty-util-9.4.40.v20210413.jar
+jetty-util-ajax-9.4.40.v20210413.jar
 jline-0.9.94.jar
 jna-4.5.1.jar
 joda-convert-2.2.1.jar
@@ -169,4 +170,4 @@ snappy-java-1.1.7.3.jar
 zstd-jni-1.4.3-1.jar
 mvel2-2.4.8.Final.jar
 commons-beanutils-1.9.4.jar
 postgresql-42.2.18.jar
\ No newline at end of file