This is an automated email from the ASF dual-hosted git repository.
stevel pushed a commit to branch branch-3.3
in repository https://gitbox.apache.org/repos/asf/hadoop.git
commit 591a35cdf6a60de028e37ef25fa8fd3a63809556
Author: PJ Fanning <pjfann...@users.noreply.github.com>
AuthorDate: Sat Nov 12 15:14:19 2022 +0100
HADOOP-18496. Upgrade okhttp3 and dependencies due to kotlin CVEs (#5035)
Updates okhttp3 and okio so their transitive dependency on Kotlin
stdlib is free from recent CVEs.
okhttp3:okhttp => 4.10.0
okio:okio => 3.2.0
kotlin stdlib => 1.6.20
kotlin CVEs fixed:
CVE-2022-24329
CVE-2020-29582
Contributed by PJ Fanning.
---
LICENSE-binary | 4 ++--
.../hadoop-client-runtime/pom.xml | 2 ++
hadoop-common-project/hadoop-common/pom.xml | 5 ++++
hadoop-hdfs-project/hadoop-hdfs-client/pom.xml | 10 ++++++++
hadoop-project/pom.xml | 28 ++++++++++++++++++----
5 files changed, 43 insertions(+), 6 deletions(-)
diff --git a/LICENSE-binary b/LICENSE-binary
index c9be229299f..9c0311fb48d 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -243,8 +243,8 @@
com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
com.google.j2objc:j2objc-annotations:1.3
com.microsoft.azure:azure-storage:7.0.1
com.nimbusds:nimbus-jose-jwt:9.8.1
-com.squareup.okhttp3:okhttp:4.9.3
-com.squareup.okio:okio:2.8.0
+com.squareup.okhttp3:okhttp:4.10.0
+com.squareup.okio:okio:3.2.0
com.yammer.metrics:metrics-core:2.2.0
com.zaxxer:HikariCP-java7:2.4.12
commons-beanutils:commons-beanutils:1.9.4
diff --git a/hadoop-client-modules/hadoop-client-runtime/pom.xml
b/hadoop-client-modules/hadoop-client-runtime/pom.xml
index 9bbf3276d72..95f498b05b5 100644
--- a/hadoop-client-modules/hadoop-client-runtime/pom.xml
+++ b/hadoop-client-modules/hadoop-client-runtime/pom.xml
@@ -163,6 +163,8 @@
<exclude>org.bouncycastle:*</exclude>
<!-- Leave snappy that includes native methods which
cannot be relocated. -->
<exclude>org.xerial.snappy:*</exclude>
+ <!-- leave out kotlin classes -->
+ <exclude>org.jetbrains.kotlin:*</exclude>
</excludes>
</artifactSet>
<filters>
diff --git a/hadoop-common-project/hadoop-common/pom.xml
b/hadoop-common-project/hadoop-common/pom.xml
index b1444cba2f2..54f56dae256 100644
--- a/hadoop-common-project/hadoop-common/pom.xml
+++ b/hadoop-common-project/hadoop-common/pom.xml
@@ -373,6 +373,11 @@
<artifactId>mockwebserver</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>com.squareup.okio</groupId>
+ <artifactId>okio-jvm</artifactId>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>dnsjava</groupId>
<artifactId>dnsjava</artifactId>
diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/pom.xml
b/hadoop-hdfs-project/hadoop-hdfs-client/pom.xml
index e45f1df0296..e2b1a212b63 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-client/pom.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs-client/pom.xml
@@ -37,6 +37,16 @@ https://maven.apache.org/xsd/maven-4.0.0.xsd";>
<dependency>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>okhttp</artifactId>
+ <exclusions>
+ <exclusion>
+ <groupId>com.squareup.okio</groupId>
+ <artifactId>okio-jvm</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>com.squareup.okio</groupId>
+ <artifactId>okio-jvm</artifactId>
</dependency>
<dependency>
<groupId>org.jetbrains.kotlin</groupId>
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index fb28624e9d4..cf68d749119 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -135,9 +135,10 @@
<hikari.version>2.4.12</hikari.version>
<derby.version>10.14.2.0</derby.version>
<mssql.version>6.2.1.jre7</mssql.version>
- <okhttp3.version>4.9.3</okhttp3.version>
- <kotlin-stdlib.verion>1.4.10</kotlin-stdlib.verion>
- <kotlin-stdlib-common.version>1.4.10</kotlin-stdlib-common.version>
+ <okhttp3.version>4.10.0</okhttp3.version>
+ <okio.version>3.2.0</okio.version>
+ <kotlin-stdlib.verion>1.6.20</kotlin-stdlib.verion>
+ <kotlin-stdlib-common.version>1.6.20</kotlin-stdlib-common.version>
<jdom.version>1.1</jdom.version>
<jna.version>5.2.0</jna.version>
<gson.version>2.9.0</gson.version>
@@ -234,8 +235,17 @@
<groupId>org.jetbrains.kotlin</groupId>
<artifactId>kotlin-stdlib-common</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>com.squareup.okio</groupId>
+ <artifactId>okio-jvm</artifactId>
+ </exclusion>
</exclusions>
</dependency>
+ <dependency>
+ <groupId>com.squareup.okio</groupId>
+ <artifactId>okio-jvm</artifactId>
+ <version>${okio.version}</version>
+ </dependency>
<dependency>
<groupId>org.jetbrains.kotlin</groupId>
<artifactId>kotlin-stdlib</artifactId>
@@ -255,8 +265,18 @@
<dependency>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>mockwebserver</artifactId>
- <version>4.9.3</version>
+ <version>${okhttp3.version}</version>
<scope>test</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>com.squareup.okio</groupId>
+ <artifactId>okio-jvm</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.jetbrains.kotlin</groupId>
+ <artifactId>kotlin-stdlib-jdk8</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>jdiff</groupId>
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-commits-h...@hadoop.apache.org
