[ https://issues.apache.org/jira/browse/HADOOP-18069?focusedWorklogId=762481&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-762481 ]
ASF GitHub Bot logged work on HADOOP-18069: ------------------------------------------- Author: ASF GitHub Bot Created on: 26/Apr/22 18:50 Start Date: 26/Apr/22 18:50 Worklog Time Spent: 10m Work Description: steveloughran commented on PR #4229: URL: https://github.com/apache/hadoop/pull/4229#issuecomment-1110137354 commented. * checkstyle needs to be happy, along with javac. * spotbugs still thinks there is a problem. what is it that it is warning about? i'm worried about adding kotlin everywhere. looking at the mvnrepo declarations it is (a) not optional and (b) about 1.5MB including transitive dependencies. so nothing much. my main concern is what pain does it cause downstream. we've had to tag this as an incompatible change just to add in the release notes about where it is used/needed Issue Time Tracking ------------------- Worklog Id: (was: 762481) Time Spent: 2h 10m (was: 2h) > CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client > ------------------------------------------------------- > > Key: HADOOP-18069 > URL: https://issues.apache.org/jira/browse/HADOOP-18069 > Project: Hadoop Common > Issue Type: Bug > Components: hdfs-client > Affects Versions: 3.3.1 > Reporter: Eugene Shinn (Truveta) > Priority: Major > Labels: pull-request-available > Time Spent: 2h 10m > Remaining Estimate: 0h > > Our static vulnerability scanner (Fortify On Demand) detected [NVD - > CVE-2021-0341 > (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection] > in our application. We traced the vulnerability to a transitive dependency > coming from hadoop-hdfs-client, which depends on okhttp@2.7.5 > ([hadoop/pom.xml at trunk · apache/hadoop > (github.com)|https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]). > To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref: > [CVE-2021-0341 · Issue #6724 · square/okhttp > (github.com)|https://github.com/square/okhttp/issues/6724]). -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org