[jira] [Work logged] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/HADOOP-18069?focusedWorklogId=762481&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-762481
 ]

ASF GitHub Bot logged work on HADOOP-18069:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 26/Apr/22 18:50
            Start Date: 26/Apr/22 18:50
    Worklog Time Spent: 10m 
      Work Description: steveloughran commented on PR #4229:
URL: https://github.com/apache/hadoop/pull/4229#issuecomment-1110137354

   commented. 
   * checkstyle needs to be happy, along with javac. 
   * spotbugs still thinks there is a problem. what is it that it is warning 
about?
   
   i'm worried about adding kotlin everywhere. looking at the mvnrepo 
declarations it is (a) not optional and (b) about 1.5MB including transitive 
dependencies. so nothing much. my main concern is what pain does it cause 
downstream. we've had to tag this as an incompatible change just to add in the 
release notes about where it is used/needed
   
   




Issue Time Tracking
-------------------

    Worklog Id:     (was: 762481)
    Time Spent: 2h 10m  (was: 2h)

> CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client  
> -------------------------------------------------------
>
>                 Key: HADOOP-18069
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18069
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: hdfs-client
>    Affects Versions: 3.3.1
>            Reporter: Eugene Shinn (Truveta)
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 2h 10m
>  Remaining Estimate: 0h
>
> Our static vulnerability scanner (Fortify On Demand) detected [NVD - 
> CVE-2021-0341 
> (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection]
>  in our application. We traced the vulnerability to a transitive dependency 
> coming from hadoop-hdfs-client, which depends on okhttp@2.7.5 
> ([hadoop/pom.xml at trunk · apache/hadoop 
> (github.com)|https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]).
>  To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref: 
> [CVE-2021-0341 · Issue #6724 · square/okhttp 
> (github.com)|https://github.com/square/okhttp/issues/6724]).



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org