Merge "Fix security vul'y in Curator Locking Plugin"

1 files changed, 28 insertions, 3 deletions

diff --git a/plugins/plugins-context/context-locking/context-locking-curator/pom.xml b/plugins/plugins-context/context-locking/context-locking-curator/pom.xml
index d5d50e1a1..1094ced4e 100644
--- a/plugins/plugins-context/context-locking/context-locking-curator/pom.xml
+++ b/plugins/plugins-context/context-locking/context-locking-curator/pom.xml
@@ -34,12 +34,37 @@
         <dependency>
             <groupId>org.apache.curator</groupId>
             <artifactId>curator-framework</artifactId>
-            <version>4.0.0</version>
+            <version>4.0.1</version>
+            <exclusions>
+                <!-- The default Zookeeper version in Curator has vulnerabilities -->
+                <exclusion>
+                    <groupId>org.apache.zookeeper</groupId>
+                    <artifactId>zookeeper</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.curator</groupId>
             <artifactId>curator-recipes</artifactId>
-            <version>4.0.0</version>
+            <version>4.0.1</version>
+        </dependency>
+        <!-- The latest Zookeeper version fixes the vulnerabilities -->
+        <dependency>
+            <groupId>org.apache.zookeeper</groupId>
+            <artifactId>zookeeper</artifactId>
+            <version>3.5.4-beta</version>
+             <exclusions>
+            <!-- Zookeeper uses an ancient version of log4j -->
+                <exclusion>
+                    <groupId>log4j</groupId>
+                    <artifactId>log4j</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.curator</groupId>
+            <artifactId>curator-recipes</artifactId>
+            <version>4.0.1</version>
         </dependency>
     </dependencies>
-</project>
\ No newline at end of file
+</project>