[ https://issues.apache.org/jira/browse/HADOOP-18069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17526304#comment-17526304 ]
Steve Loughran commented on HADOOP-18069: ----------------------------------------- not seen any response; i do see there was an earlier report HDFS-16453 i'm closing this as a duplicate. can you submit a pr against hadoop trunk upgrading the jar and we will see what happens...if yetus is happy i can merge, including into the 3.3.3 release we are about to do. thanks > CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client > ------------------------------------------------------- > > Key: HADOOP-18069 > URL: https://issues.apache.org/jira/browse/HADOOP-18069 > Project: Hadoop Common > Issue Type: Bug > Components: hdfs-client > Affects Versions: 3.3.1 > Reporter: Eugene Shinn (Truveta) > Priority: Major > > Our static vulnerability scanner (Fortify On Demand) detected [NVD - > CVE-2021-0341 > (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection] > in our application. We traced the vulnerability to a transitive dependency > coming from hadoop-hdfs-client, which depends on okhttp@2.7.5 > ([hadoop/pom.xml at trunk · apache/hadoop > (github.com)|https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]). > To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref: > [CVE-2021-0341 · Issue #6724 · square/okhttp > (github.com)|https://github.com/square/okhttp/issues/6724]). -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org