From 54e09f566758b0176df3553cdec8a5e8f67efb0c Mon Sep 17 00:00:00 2001
From: liamfallon <liam.fallon@ericsson.com>
Date: Tue, 19 Jun 2018 11:06:27 +0800
Subject: Fix security vul'y in Curator Locking Plugin

Increment the version of the Curator dependencies.
Upgrade the version of Zookeeper used by Curator tot he latest version.
Remove ancient log4j dependency from Zookeeper.

Issue-ID: POLICY-905
Change-Id: I103bd36404d3dc9c33bdd59585f67ba0fde349be
Signed-off-by: liamfallon <liam.fallon@ericsson.com>
---
 .../context-locking-curator/pom.xml                | 31 +++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/plugins/plugins-context/context-locking/context-locking-curator/pom.xml b/plugins/plugins-context/context-locking/context-locking-curator/pom.xml
index d5d50e1a1..1094ced4e 100644
--- a/plugins/plugins-context/context-locking/context-locking-curator/pom.xml
+++ b/plugins/plugins-context/context-locking/context-locking-curator/pom.xml
@@ -34,12 +34,37 @@
         <dependency>
             <groupId>org.apache.curator</groupId>
             <artifactId>curator-framework</artifactId>
-            <version>4.0.0</version>
+            <version>4.0.1</version>
+            <exclusions>
+                <!-- The default Zookeeper version in Curator has vulnerabilities -->
+                <exclusion>
+                    <groupId>org.apache.zookeeper</groupId>
+                    <artifactId>zookeeper</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.curator</groupId>
             <artifactId>curator-recipes</artifactId>
-            <version>4.0.0</version>
+            <version>4.0.1</version>
+        </dependency>
+        <!-- The latest Zookeeper version fixes the vulnerabilities -->
+        <dependency>
+            <groupId>org.apache.zookeeper</groupId>
+            <artifactId>zookeeper</artifactId>
+            <version>3.5.4-beta</version>
+             <exclusions>
+            <!-- Zookeeper uses an ancient version of log4j -->
+                <exclusion>
+                    <groupId>log4j</groupId>
+                    <artifactId>log4j</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.curator</groupId>
+            <artifactId>curator-recipes</artifactId>
+            <version>4.0.1</version>
         </dependency>
     </dependencies>
-</project>
\ No newline at end of file
+</project>
-- 
cgit 1.2.3-korg