From: liamfallon <liam.fallon@ericsson.com>
Date: Tue, 19 Jun 2018 03:06:27 +0000 (+0800)
Subject: Fix security vul'y in Curator Locking Plugin
X-Git-Tag: 2.0.0~118^2
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=54e09f566758b0176df3553cdec8a5e8f67efb0c;p=policy%2Fapex-pdp.git

Fix security vul'y in Curator Locking Plugin

Increment the version of the Curator dependencies.
Upgrade the version of Zookeeper used by Curator tot he latest version.
Remove ancient log4j dependency from Zookeeper.

Issue-ID: POLICY-905
Change-Id: I103bd36404d3dc9c33bdd59585f67ba0fde349be
Signed-off-by: liamfallon <liam.fallon@ericsson.com>
---

diff --git a/plugins/plugins-context/context-locking/context-locking-curator/pom.xml b/plugins/plugins-context/context-locking/context-locking-curator/pom.xml
index d5d50e1a1..1094ced4e 100644
--- a/plugins/plugins-context/context-locking/context-locking-curator/pom.xml
+++ b/plugins/plugins-context/context-locking/context-locking-curator/pom.xml
@@ -34,12 +34,37 @@
         <dependency>
             <groupId>org.apache.curator</groupId>
             <artifactId>curator-framework</artifactId>
-            <version>4.0.0</version>
+            <version>4.0.1</version>
+            <exclusions>
+                <!-- The default Zookeeper version in Curator has vulnerabilities -->
+                <exclusion>
+                    <groupId>org.apache.zookeeper</groupId>
+                    <artifactId>zookeeper</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.curator</groupId>
             <artifactId>curator-recipes</artifactId>
-            <version>4.0.0</version>
+            <version>4.0.1</version>
+        </dependency>
+        <!-- The latest Zookeeper version fixes the vulnerabilities -->
+        <dependency>
+            <groupId>org.apache.zookeeper</groupId>
+            <artifactId>zookeeper</artifactId>
+            <version>3.5.4-beta</version>
+             <exclusions>
+            <!-- Zookeeper uses an ancient version of log4j -->
+                <exclusion>
+                    <groupId>log4j</groupId>
+                    <artifactId>log4j</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.curator</groupId>
+            <artifactId>curator-recipes</artifactId>
+            <version>4.0.1</version>
         </dependency>
     </dependencies>
-</project>
\ No newline at end of file
+</project>