This is an automated email from the ASF dual-hosted git repository. stevel pushed a commit to branch branch-3.3 in repository https://gitbox.apache.org/repos/asf/hadoop.git
commit 591a35cdf6a60de028e37ef25fa8fd3a63809556 Author: PJ Fanning <pjfann...@users.noreply.github.com> AuthorDate: Sat Nov 12 15:14:19 2022 +0100 HADOOP-18496. Upgrade okhttp3 and dependencies due to kotlin CVEs (#5035) Updates okhttp3 and okio so their transitive dependency on Kotlin stdlib is free from recent CVEs. okhttp3:okhttp => 4.10.0 okio:okio => 3.2.0 kotlin stdlib => 1.6.20 kotlin CVEs fixed: CVE-2022-24329 CVE-2020-29582 Contributed by PJ Fanning. --- LICENSE-binary | 4 ++-- .../hadoop-client-runtime/pom.xml | 2 ++ hadoop-common-project/hadoop-common/pom.xml | 5 ++++ hadoop-hdfs-project/hadoop-hdfs-client/pom.xml | 10 ++++++++ hadoop-project/pom.xml | 28 ++++++++++++++++++---- 5 files changed, 43 insertions(+), 6 deletions(-) diff --git a/LICENSE-binary b/LICENSE-binary index c9be229299f..9c0311fb48d 100644 --- a/LICENSE-binary +++ b/LICENSE-binary @@ -243,8 +243,8 @@ com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava com.google.j2objc:j2objc-annotations:1.3 com.microsoft.azure:azure-storage:7.0.1 com.nimbusds:nimbus-jose-jwt:9.8.1 -com.squareup.okhttp3:okhttp:4.9.3 -com.squareup.okio:okio:2.8.0 +com.squareup.okhttp3:okhttp:4.10.0 +com.squareup.okio:okio:3.2.0 com.yammer.metrics:metrics-core:2.2.0 com.zaxxer:HikariCP-java7:2.4.12 commons-beanutils:commons-beanutils:1.9.4 diff --git a/hadoop-client-modules/hadoop-client-runtime/pom.xml b/hadoop-client-modules/hadoop-client-runtime/pom.xml index 9bbf3276d72..95f498b05b5 100644 --- a/hadoop-client-modules/hadoop-client-runtime/pom.xml +++ b/hadoop-client-modules/hadoop-client-runtime/pom.xml @@ -163,6 +163,8 @@ <exclude>org.bouncycastle:*</exclude> <!-- Leave snappy that includes native methods which cannot be relocated. --> <exclude>org.xerial.snappy:*</exclude> + <!-- leave out kotlin classes --> + <exclude>org.jetbrains.kotlin:*</exclude> </excludes> </artifactSet> <filters> diff --git a/hadoop-common-project/hadoop-common/pom.xml b/hadoop-common-project/hadoop-common/pom.xml index b1444cba2f2..54f56dae256 100644 --- a/hadoop-common-project/hadoop-common/pom.xml +++ b/hadoop-common-project/hadoop-common/pom.xml @@ -373,6 +373,11 @@ <artifactId>mockwebserver</artifactId> <scope>test</scope> </dependency> + <dependency> + <groupId>com.squareup.okio</groupId> + <artifactId>okio-jvm</artifactId> + <scope>test</scope> + </dependency> <dependency> <groupId>dnsjava</groupId> <artifactId>dnsjava</artifactId> diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/pom.xml b/hadoop-hdfs-project/hadoop-hdfs-client/pom.xml index e45f1df0296..e2b1a212b63 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-client/pom.xml +++ b/hadoop-hdfs-project/hadoop-hdfs-client/pom.xml @@ -37,6 +37,16 @@ https://maven.apache.org/xsd/maven-4.0.0.xsd"> <dependency> <groupId>com.squareup.okhttp3</groupId> <artifactId>okhttp</artifactId> + <exclusions> + <exclusion> + <groupId>com.squareup.okio</groupId> + <artifactId>okio-jvm</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> + <groupId>com.squareup.okio</groupId> + <artifactId>okio-jvm</artifactId> </dependency> <dependency> <groupId>org.jetbrains.kotlin</groupId> diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml index fb28624e9d4..cf68d749119 100644 --- a/hadoop-project/pom.xml +++ b/hadoop-project/pom.xml @@ -135,9 +135,10 @@ <hikari.version>2.4.12</hikari.version> <derby.version>10.14.2.0</derby.version> <mssql.version>6.2.1.jre7</mssql.version> - <okhttp3.version>4.9.3</okhttp3.version> - <kotlin-stdlib.verion>1.4.10</kotlin-stdlib.verion> - <kotlin-stdlib-common.version>1.4.10</kotlin-stdlib-common.version> + <okhttp3.version>4.10.0</okhttp3.version> + <okio.version>3.2.0</okio.version> + <kotlin-stdlib.verion>1.6.20</kotlin-stdlib.verion> + <kotlin-stdlib-common.version>1.6.20</kotlin-stdlib-common.version> <jdom.version>1.1</jdom.version> <jna.version>5.2.0</jna.version> <gson.version>2.9.0</gson.version> @@ -234,8 +235,17 @@ <groupId>org.jetbrains.kotlin</groupId> <artifactId>kotlin-stdlib-common</artifactId> </exclusion> + <exclusion> + <groupId>com.squareup.okio</groupId> + <artifactId>okio-jvm</artifactId> + </exclusion> </exclusions> </dependency> + <dependency> + <groupId>com.squareup.okio</groupId> + <artifactId>okio-jvm</artifactId> + <version>${okio.version}</version> + </dependency> <dependency> <groupId>org.jetbrains.kotlin</groupId> <artifactId>kotlin-stdlib</artifactId> @@ -255,8 +265,18 @@ <dependency> <groupId>com.squareup.okhttp3</groupId> <artifactId>mockwebserver</artifactId> - <version>4.9.3</version> + <version>${okhttp3.version}</version> <scope>test</scope> + <exclusions> + <exclusion> + <groupId>com.squareup.okio</groupId> + <artifactId>okio-jvm</artifactId> + </exclusion> + <exclusion> + <groupId>org.jetbrains.kotlin</groupId> + <artifactId>kotlin-stdlib-jdk8</artifactId> + </exclusion> + </exclusions> </dependency> <dependency> <groupId>jdiff</groupId> --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org