[
https://issues.apache.org/jira/browse/HADOOP-19578?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18009320#comment-18009320
]
ASF GitHub Bot commented on HADOOP-19578:
-----------------------------------------
steveloughran commented on PR #7707:
URL: https://github.com/apache/hadoop/pull/7707#issuecomment-3109355354
well, we don't distribute it, but unless anybody is set up to test it, we
have to choose between "used to work but has cve" and "more secure but may not
work"
> Upgrade com.huaweicloud:esdk-obs-java for CVE-2023-3635
> -------------------------------------------------------
>
> Key: HADOOP-19578
> URL: https://issues.apache.org/jira/browse/HADOOP-19578
> Project: Hadoop Common
> Issue Type: Improvement
> Components: cloud-storage, huaweicloud
> Affects Versions: 3.3.6, 3.4.1
> Reporter: Yaniv Kunda
> Priority: Major
> Labels: pull-request-available
>
> The {{com.huaweicloud:esdk-obs-java}} dependency , used exclusively by the
> {{hadoop-huaweicloud}} uses {{com.squareup.okio:okio:1.17.2}} which has
> [CVE-2023-3635|https://nvd.nist.gov/vuln/detail/cve-2023-3635].
> Upgrading it will use a newer fixed version of {{okio}}, which will mitigate
> the vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
