Re: [jira] [Created] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client

Fri, 07 Jan 2022 07:36:31 -0800 

https://square.github.io/okhttp/changelog/

The latest stable release is 4.9.1 which was published at 2021.1.30

https://github.com/square/okhttp/commits/master

And there are still lots of commits recently.

I'm not saying we should not remove it in hadoop, just want to point
out that it is still under development and maintenance...

Thanks.

Steve Loughran <ste...@cloudera.com.invalid> 于2022年1月7日周五 22:40写道:
>
> okhttp was last updated in 2017
>
> why use this over httpclient? its only used in a couple of places and
> removing it entirely would make this problem go away forever
>
> ---------- Forwarded message ---------
> From: Eugene Shinn (Truveta) (Jira) <j...@apache.org>
> Date: Wed, 5 Jan 2022 at 19:48
> Subject: [jira] [Created] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5
> detected in hdfs-client
> To: <common-...@hadoop.apache.org>
>
>
> Eugene Shinn (Truveta) created HADOOP-18069:
> -----------------------------------------------
>
>              Summary: CVE-2021-0341 in okhttp@2.7.5 detected in
> hdfs-client
>                  Key: HADOOP-18069
>                  URL: https://issues.apache.org/jira/browse/HADOOP-18069
>              Project: Hadoop Common
>           Issue Type: Bug
>           Components: hdfs-client
>     Affects Versions: 3.3.1
>             Reporter: Eugene Shinn (Truveta)
>
>
> Our static vulnerability scanner (Fortify On Demand) detected [NVD -
> CVE-2021-0341 (nist.gov)|
> https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection] in
> our application. We traced the vulnerability to a transitive dependency
> coming from hadoop-hdfs-client, which depends on okhttp@2.7.5
> ([hadoop/pom.xml at trunk · apache/hadoop (github.com)|
> https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]).
> To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref:
> [CVE-2021-0341 · Issue #6724 · square/okhttp (github.com)|
> https://github.com/square/okhttp/issues/6724]).
>
>
>
> --
> This message was sent by Atlassian Jira
> (v8.20.1#820001)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
> For additional commands, e-mail: common-dev-h...@hadoop.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org

Reply via email to