Upgraded dependencies with CVEs (#2792)

(cherry picked from commit 354cf37)

bookkeeper-dist/all/build.gradle

@@ -71,7 +71,7 @@ def depLicences = [
         "scala-library-2.11.7/LICENSE.md",
         "scala-parser-combinators_2.11-1.0.4/LICENSE.md",
         "scala-reflect-2.11.8/LICENSE.md",
-        "slf4j-1.7.25/LICENSE.txt",
+        "slf4j-1.7.32/LICENSE.txt",
 ]
 
 distributions {

bookkeeper-dist/bkctl/build.gradle

@@ -40,7 +40,7 @@ def depLicences = [
         "bouncycastle-1.0.2/LICENSE.html",
         "protobuf-3.14.0/LICENSE",
         "protobuf-3.12.0/LICENSE",
-        "slf4j-1.7.25/LICENSE.txt",
+        "slf4j-1.7.32/LICENSE.txt",
 ]
 
 distributions {

bookkeeper-dist/server/build.gradle

@@ -64,7 +64,7 @@ def depLicences = [
         "bouncycastle-1.0.2/LICENSE.html",
         "protobuf-3.14.0/LICENSE",
         "protobuf-3.12.0/LICENSE",
-        "slf4j-1.7.25/LICENSE.txt",
+        "slf4j-1.7.32/LICENSE.txt",
 ]
 distributions {
     main {

bookkeeper-dist/src/assemble/bin-all.xml

@@ -66,7 +66,7 @@
         <include>scala-library-2.11.7/LICENSE.md</include>
         <include>scala-parser-combinators_2.11-1.0.4/LICENSE.md</include>
         <include>scala-reflect-2.11.8/LICENSE.md</include>
-        <include>slf4j-1.7.25/LICENSE.txt</include>
+        <include>slf4j-1.7.32/LICENSE.txt</include>
       </includes>
       <fileMode>644</fileMode>
     </fileSet>

bookkeeper-dist/src/assemble/bin-server.xml

@@ -56,7 +56,7 @@
         <include>bouncycastle-1.0.2/LICENSE.html</include>
         <include>protobuf-3.14.0/LICENSE</include>
         <include>protobuf-3.12.0/LICENSE</include>
-        <include>slf4j-1.7.25/LICENSE.txt</include>
+        <include>slf4j-1.7.32/LICENSE.txt</include>
       </includes>
       <fileMode>644</fileMode>
     </fileSet>

bookkeeper-dist/src/assemble/bkctl.xml

@@ -70,7 +70,7 @@
         <include>bouncycastle-1.0.2/LICENSE.html</include>
         <include>protobuf-3.14.0/LICENSE</include>
         <include>protobuf-3.12.0/LICENSE</include>
-        <include>slf4j-1.7.25/LICENSE.txt</include>
+        <include>slf4j-1.7.32/LICENSE.txt</include>
       </includes>
       <fileMode>644</fileMode>
     </fileSet>

bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt

@@ -214,7 +214,7 @@ Apache Software License, Version 2.
 - lib/commons-cli-commons-cli-1.2.jar [5]
 - lib/commons-codec-commons-codec-1.6.jar [6]
 - lib/commons-configuration-commons-configuration-1.10.jar [7]
-- lib/commons-io-commons-io-2.4.jar [8]
+- lib/commons-io-commons-io-2.7.jar [8]
 - lib/commons-lang-commons-lang-2.6.jar [9]
 - lib/commons-logging-commons-logging-1.1.1.jar [10]
 - lib/io.netty-netty-buffer-4.1.63.Final.jar [11]
@@ -248,12 +248,13 @@ Apache Software License, Version 2.
 - lib/org.apache.zookeeper-zookeeper-3.6.2.jar [21]
 - lib/org.apache.zookeeper-zookeeper-jute-3.6.2.jar [21]
 - lib/org.apache.zookeeper-zookeeper-3.6.2-tests.jar [21]
-- lib/org.eclipse.jetty-jetty-http-9.4.33.v20201020.jar [22]
-- lib/org.eclipse.jetty-jetty-io-9.4.33.v20201020.jar [22]
-- lib/org.eclipse.jetty-jetty-security-9.4.33.v20201020.jar [22]
-- lib/org.eclipse.jetty-jetty-server-9.4.33.v20201020.jar [22]
-- lib/org.eclipse.jetty-jetty-servlet-9.4.33.v20201020.jar [22]
-- lib/org.eclipse.jetty-jetty-util-9.4.33.v20201020.jar [22]
+- lib/org.eclipse.jetty-jetty-http-9.4.43.v20210629.jar [22]
+- lib/org.eclipse.jetty-jetty-io-9.4.43.v20210629.jar [22]
+- lib/org.eclipse.jetty-jetty-security-9.4.43.v20210629.jar [22]
+- lib/org.eclipse.jetty-jetty-server-9.4.43.v20210629.jar [22]
+- lib/org.eclipse.jetty-jetty-servlet-9.4.43.v20210629.jar [22]
+- lib/org.eclipse.jetty-jetty-util-9.4.43.v20210629.jar [22]
+- lib/org.eclipse.jetty-jetty-util-ajax-9.4.43.v20210629.jar [22]
 - lib/org.rocksdb-rocksdbjni-6.16.4.jar [23]
 - lib/com.beust-jcommander-1.78.jar [24]
 - lib/com.yahoo.datasketches-memory-0.8.3.jar [25]
@@ -322,7 +323,7 @@ Apache Software License, Version 2.
 [19] Source available at https://git-wip-us.apache.org/repos/asf?p=commons-collections.git;a=tag;h=a3a5ad
 [20] Source available at https://git-wip-us.apache.org/repos/asf?p=commons-lang.git;a=shortlog;h=refs/tags/LANG_3_6
 [21] Source available at https://github.com/apache/zookeeper/tree/release-3.6.2
-[22] Source available at https://github.com/eclipse/jetty.project/tree/jetty-9.4.33.v20201020
+[22] Source available at https://github.com/eclipse/jetty.project/tree/jetty-9.4.43.v20210629
 [23] Source available at https://github.com/facebook/rocksdb/tree/v6.16.4
 [24] Source available at https://github.com/cbeust/jcommander/tree/1.78
 [25] Source available at https://github.com/DataSketches/sketches-core/tree/sketches-0.8.3
@@ -634,12 +635,12 @@ Bundled as lib/javax.servlet-javax.servlet-api-4.0.0.jar
 Source available at https://github.com/javaee/servlet-spec/tree/4.0.0
 ------------------------------------------------------------------------------------
 This product bundles Simple Logging Facade for Java, which is available under a
-MIT license. For details, see deps/slf4j-1.7.25/LICENSE.txt.
+MIT license. For details, see deps/slf4j-1.7.32/LICENSE.txt.
 
 Bundled as
-  - lib/org.slf4j-slf4j-api-1.7.25.jar
-  - lib/org.slf4j-slf4j-log4j12-1.7.25.jar
-Source available at https://github.com/qos-ch/slf4j/tree/v_1.7.25
+  - lib/org.slf4j-slf4j-api-1.7.32.jar
+  - lib/org.slf4j-slf4j-log4j12-1.7.32.jar
+Source available at https://github.com/qos-ch/slf4j/tree/v_1.7.32
 ------------------------------------------------------------------------------------
 This product bundles the Google Auth Library, which is available under a "3-clause BSD"
 license. For details, see deps/google-auth-library-credentials-0.20.0/LICENSE

bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt

@@ -214,7 +214,7 @@ Apache Software License, Version 2.
 - lib/commons-cli-commons-cli-1.2.jar [5]
 - lib/commons-codec-commons-codec-1.6.jar [6]
 - lib/commons-configuration-commons-configuration-1.10.jar [7]
-- lib/commons-io-commons-io-2.4.jar [8]
+- lib/commons-io-commons-io-2.7.jar [8]
 - lib/commons-lang-commons-lang-2.6.jar [9]
 - lib/commons-logging-commons-logging-1.1.1.jar [10]
 - lib/io.netty-netty-buffer-4.1.63.Final.jar [11]
@@ -561,12 +561,12 @@ Source available at https://github.com/protocolbuffers/protobuf/tree/v3.12.0
 For details, see deps/protobuf-3.12.0/LICENSE.
 ------------------------------------------------------------------------------------
 This product bundles Simple Logging Facade for Java, which is available under a
-MIT license. For details, see deps/slf4j-1.7.25/LICENSE.txt.
+MIT license. For details, see deps/slf4j-1.7.32/LICENSE.txt.
 
 Bundled as
-  - lib/org.slf4j-slf4j-api-1.7.25.jar
-  - lib/org.slf4j-slf4j-log4j12-1.7.25.jar
-Source available at https://github.com/qos-ch/slf4j/tree/v_1.7.25
+  - lib/org.slf4j-slf4j-api-1.7.32.jar
+  - lib/org.slf4j-slf4j-log4j12-1.7.32.jar
+Source available at https://github.com/qos-ch/slf4j/tree/v_1.7.32
 ------------------------------------------------------------------------------------
 This product bundles the Google Auth Library, which is available under a "3-clause BSD"
 license. For details, see deps/google-auth-library-credentials-0.20.0/LICENSE

bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt

@@ -214,7 +214,7 @@ Apache Software License, Version 2.
 - lib/commons-cli-commons-cli-1.2.jar [5]
 - lib/commons-codec-commons-codec-1.6.jar [6]
 - lib/commons-configuration-commons-configuration-1.10.jar [7]
-- lib/commons-io-commons-io-2.4.jar [8]
+- lib/commons-io-commons-io-2.7.jar [8]
 - lib/commons-lang-commons-lang-2.6.jar [9]
 - lib/commons-logging-commons-logging-1.1.1.jar [10]
 - lib/io.netty-netty-buffer-4.1.63.Final.jar [11]
@@ -248,12 +248,13 @@ Apache Software License, Version 2.
 - lib/org.apache.zookeeper-zookeeper-3.6.2.jar [21]
 - lib/org.apache.zookeeper-zookeeper-jute-3.6.2.jar [21]
 - lib/org.apache.zookeeper-zookeeper-3.6.2-tests.jar [21]
-- lib/org.eclipse.jetty-jetty-http-9.4.33.v20201020.jar [22]
-- lib/org.eclipse.jetty-jetty-io-9.4.33.v20201020.jar [22]
-- lib/org.eclipse.jetty-jetty-security-9.4.33.v20201020.jar [22]
-- lib/org.eclipse.jetty-jetty-server-9.4.33.v20201020.jar [22]
-- lib/org.eclipse.jetty-jetty-servlet-9.4.33.v20201020.jar [22]
-- lib/org.eclipse.jetty-jetty-util-9.4.33.v20201020.jar [22]
+- lib/org.eclipse.jetty-jetty-http-9.4.43.v20210629.jar [22]
+- lib/org.eclipse.jetty-jetty-io-9.4.43.v20210629.jar [22]
+- lib/org.eclipse.jetty-jetty-security-9.4.43.v20210629.jar [22]
+- lib/org.eclipse.jetty-jetty-server-9.4.43.v20210629.jar [22]
+- lib/org.eclipse.jetty-jetty-servlet-9.4.43.v20210629.jar [22]
+- lib/org.eclipse.jetty-jetty-util-9.4.43.v20210629.jar [22]
+- lib/org.eclipse.jetty-jetty-util-ajax-9.4.43.v20210629.jar [22]
 - lib/org.rocksdb-rocksdbjni-6.16.4.jar [23]
 - lib/com.beust-jcommander-1.78.jar [24]
 - lib/com.yahoo.datasketches-memory-0.8.3.jar [25]
@@ -320,7 +321,7 @@ Apache Software License, Version 2.
 [19] Source available at https://git-wip-us.apache.org/repos/asf?p=commons-collections.git;a=tag;h=a3a5ad
 [20] Source available at https://git-wip-us.apache.org/repos/asf?p=commons-lang.git;a=shortlog;h=refs/tags/LANG_3_6
 [21] Source available at https://github.com/apache/zookeeper/tree/release-3.6.2
-[22] Source available at https://github.com/eclipse/jetty.project/tree/jetty-9.4.33.v20201020
+[22] Source available at https://github.com/eclipse/jetty.project/tree/jetty-9.4.43.v20210629
 [23] Source available at https://github.com/facebook/rocksdb/tree/v6.16.4
 [24] Source available at https://github.com/cbeust/jcommander/tree/1.78
 [25] Source available at https://github.com/DataSketches/sketches-core/tree/sketches-0.8.3
@@ -626,12 +627,12 @@ Bundled as lib/javax.servlet-javax.servlet-api-4.0.0.jar
 Source available at https://github.com/javaee/servlet-spec/tree/4.0.0
 ------------------------------------------------------------------------------------
 This product bundles Simple Logging Facade for Java, which is available under a
-MIT license. For details, see deps/slf4j-1.7.25/LICENSE.txt.
+MIT license. For details, see deps/slf4j-1.7.32/LICENSE.txt.
 
 Bundled as
-  - lib/org.slf4j-slf4j-api-1.7.25.jar
-  - lib/org.slf4j-slf4j-log4j12-1.7.25.jar
-Source available at https://github.com/qos-ch/slf4j/tree/v_1.7.25
+  - lib/org.slf4j-slf4j-api-1.7.32.jar
+  - lib/org.slf4j-slf4j-log4j12-1.7.32.jar
+Source available at https://github.com/qos-ch/slf4j/tree/v_1.7.32
 ------------------------------------------------------------------------------------
 This product bundles the Google Auth Library, which is available under a "3-clause BSD"
 license. For details, see deps/google-auth-library-credentials-0.20.0/LICENSE

bookkeeper-dist/src/main/resources/NOTICE-all.bin.txt

@@ -78,12 +78,13 @@ SoundCloud Ltd. (http://soundcloud.com/).
 This product includes software developed as part of the
 Ocelli project by Netflix Inc. (https://github.com/Netflix/ocelli/).
 ------------------------------------------------------------------------------------
-- lib/org.eclipse.jetty-jetty-http-9.4.33.v20201020.jar
-- lib/org.eclipse.jetty-jetty-io-9.4.33.v20201020.jar
-- lib/org.eclipse.jetty-jetty-security-9.4.33.v20201020.jar
-- lib/org.eclipse.jetty-jetty-server-9.4.33.v20201020.jar
-- lib/org.eclipse.jetty-jetty-servlet-9.4.33.v20201020.jar
-- lib/org.eclipse.jetty-jetty-util-9.4.33.v20201020.jar
+- lib/org.eclipse.jetty-jetty-http-9.4.43.v20210629.jar
+- lib/org.eclipse.jetty-jetty-io-9.4.43.v20210629.jar
+- lib/org.eclipse.jetty-jetty-security-9.4.43.v20210629jar
+- lib/org.eclipse.jetty-jetty-server-9.4.43.v20210629.jar
+- lib/org.eclipse.jetty-jetty-servlet-9.4.43.v20210629.jar
+- lib/org.eclipse.jetty-jetty-util-9.4.43.v20210629.jar
+- lib/org.eclipse.jetty-jetty-util-ajax-9.4.43.v20210629.jar
 
 ==============================================================
  Jetty Web Container
@@ -105,7 +106,7 @@ Jetty is dual licensed under both
 
 Jetty may be distributed under either license.
 
-lib/org.eclipse.jetty-jetty-util-9.4.33.v20201020.jar bundles UnixCrypt
+lib/org.eclipse.jetty-jetty-util-9.4.43.v20210629.jar bundles UnixCrypt
 
 The UnixCrypt.java code implements the one way cryptography used by
 Unix systems for simple password protection.  Copyright 1996 Aki Yoshida,

bookkeeper-dist/src/main/resources/NOTICE-server.bin.txt

@@ -61,12 +61,13 @@ SoundCloud Ltd. (http://soundcloud.com/).
 This product includes software developed as part of the
 Ocelli project by Netflix Inc. (https://github.com/Netflix/ocelli/).
 ------------------------------------------------------------------------------------
-- lib/org.eclipse.jetty-jetty-http-9.4.33.v20201020.jar
-- lib/org.eclipse.jetty-jetty-io-9.4.33.v20201020.jar
-- lib/org.eclipse.jetty-jetty-security-9.4.33.v20201020.jar
-- lib/org.eclipse.jetty-jetty-server-9.4.33.v20201020.jar
-- lib/org.eclipse.jetty-jetty-servlet-9.4.33.v20201020.jar
-- lib/org.eclipse.jetty-jetty-util-9.4.33.v20201020.jar
+- lib/org.eclipse.jetty-jetty-http-9.4.43.v20210629.jar
+- lib/org.eclipse.jetty-jetty-io-9.4.43.v20210629.jar
+- lib/org.eclipse.jetty-jetty-security-9.4.43.v20210629.jar
+- lib/org.eclipse.jetty-jetty-server-9.4.43.v20210629.jar
+- lib/org.eclipse.jetty-jetty-servlet-9.4.43.v20210629.jar
+- lib/org.eclipse.jetty-jetty-util-9.4.43.v20210629.jar
+- lib/org.eclipse.jetty-jetty-util-ajax-9.4.43.v20210629.jar
 
 ==============================================================
  Jetty Web Container
@@ -88,7 +89,7 @@ Jetty is dual licensed under both
 
 Jetty may be distributed under either license.
 
-lib/org.eclipse.jetty-jetty-util-9.4.33.v20201020.jar bundles UnixCrypt
+lib/org.eclipse.jetty-jetty-util-9.4.43.v20210629.jar bundles UnixCrypt
 
 The UnixCrypt.java code implements the one way cryptography used by
 Unix systems for simple password protection.  Copyright 1996 Aki Yoshida,

dependencies.gradle

@@ -25,13 +25,13 @@ depVersions = [
     arquillianCubeDocker: "1.18.2",
     arquillianJunit: "1.6.0.Final",
     bcFips: "1.0.2",
-    bouncycastle: "1.56",
+    bouncycastle: "1.69",
     commonsCli: "1.4",
     commonsCodec: "1.14",
     commonsCollections4: "4.1",
     commonsCompress: "1.19",
     commonsConfiguration: "1.10",
-    commonsIO: "2.4",
+    commonsIO: "2.7",
     commonsLang2: "2.6",
     commonsLang3: "3.6",
     commonsBeanutils: "1.9.3",
@@ -50,15 +50,15 @@ depVersions = [
     jackson: "2.11.1",
     jcommander: "1.78",
     jctools: "2.1.2",
-    jetty: "9.4.31.v20200723",
+    jetty: "9.4.43.v20210629",
     jmh: "1.19",
     jmock: "2.8.2",
     jna: "3.2.7",
     jsr305: "3.0.2",
     junit: "4.12",
     junitFoundation: "11.0.0",
     kerby: "1.1.1",
-    log4j: "1.2.17",
+    log4j: "1.2.27",
     lombok: "1.18.20",
     lz4: "1.3.0",
     mockito: "3.0.0",

pom.xml

@@ -122,7 +122,7 @@
     <commons-compress.version>1.19</commons-compress.version>
     <commons-lang.version>2.6</commons-lang.version>
     <commons-lang3.version>3.6</commons-lang3.version>
-    <commons-io.version>2.4</commons-io.version>
+    <commons-io.version>2.7</commons-io.version>
     <bouncycastle.version>1.0.2</bouncycastle.version>
     <curator.version>5.1.0</curator.version>
     <dropwizard.version>3.2.5</dropwizard.version>
@@ -138,7 +138,7 @@
     <hdrhistogram.version>2.1.10</hdrhistogram.version>
     <jackson.version>2.11.0</jackson.version>
     <jcommander.version>1.78</jcommander.version>
-    <jetty.version>9.4.33.v20201020</jetty.version>
+    <jetty.version>9.4.43.v20210629</jetty.version>
     <jmh.version>1.19</jmh.version>
     <jmock.version>2.8.2</jmock.version>
     <jna.version>3.2.7</jna.version>
@@ -160,7 +160,7 @@
     <reflections.version>0.9.11</reflections.version>
     <rocksdb.version>6.16.4</rocksdb.version>
     <shrinkwrap.version>3.0.1</shrinkwrap.version>
-    <slf4j.version>1.7.25</slf4j.version>
+    <slf4j.version>1.7.32</slf4j.version>
     <snakeyaml.version>1.19</snakeyaml.version>
     <spotbugs-annotations.version>3.1.8</spotbugs-annotations.version>
     <javax-annotations-api.version>1.3.2</javax-annotations-api.version>