Ivan Viaznikov created HDFS-16453:
-------------------------------------
Summary: okhttp vulnerable library update
Key: HDFS-16453
URL: https://issues.apache.org/jira/browse/HDFS-16453
Project: Hadoop HDFS
Issue Type: Wish
Components: hdfs-client
Affects Versions: 3.3.1
Reporter: Ivan Viaznikov
{{org.apache.hadoop:hadoop-hdfs-client}} comes with
{{com.squareup.okhttp:okhttp:2.7.5}} as a dependency, which is vulnerable to an
information disclosure issue due to how the contents of sensitive headers, such
as the {{Authorization}} header, can be logged when an
{{IllegalArgumentException}} is thrown.
This issue could allow an attacker or malicious user who has access to the logs
to obtain the sensitive contents of the affected headers which could facilitate
further attacks.
Fixed in {{5.0.0-alpha3}} by
[this|https://github.com/square/okhttp/commit/dcc6483b7dc6d9c0b8e03ff7c30c13f3c75264a5]
commit. The fix was cherry-picked and backported into {{4.9.2}} with
[this|https://github.com/square/okhttp/commit/1fd7c0afdc2cee9ba982b07d49662af7f60e1518]
commit.
Requesting you to clarify if this dependency will be updated to a fixed version
in the following releases
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
