[jira] [Work logged] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/HADOOP-18069?focusedWorklogId=761475&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-761475
 ]

ASF GitHub Bot logged work on HADOOP-18069:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 24/Apr/22 17:03
            Start Date: 24/Apr/22 17:03
    Worklog Time Spent: 10m 
      Work Description: steveloughran commented on PR #4229:
URL: https://github.com/apache/hadoop/pull/4229#issuecomment-1107879441

   the spotbugs failures are probably less a regression the lib as improved 
nullable declarations in the API letting spotbugs know the code is bad. that 
bit of okta api use needs to handle null responses better. probably it should 
check the return type is text/json, as some oauth endpoints (hello microsoft 
live) will return 200 and human-friendly html on auth problems. 




Issue Time Tracking
-------------------

    Worklog Id:     (was: 761475)
    Time Spent: 0.5h  (was: 20m)

> CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client  
> -------------------------------------------------------
>
>                 Key: HADOOP-18069
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18069
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: hdfs-client
>    Affects Versions: 3.3.1
>            Reporter: Eugene Shinn (Truveta)
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Our static vulnerability scanner (Fortify On Demand) detected [NVD - 
> CVE-2021-0341 
> (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection]
>  in our application. We traced the vulnerability to a transitive dependency 
> coming from hadoop-hdfs-client, which depends on okhttp@2.7.5 
> ([hadoop/pom.xml at trunk · apache/hadoop 
> (github.com)|https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]).
>  To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref: 
> [CVE-2021-0341 · Issue #6724 · square/okhttp 
> (github.com)|https://github.com/square/okhttp/issues/6724]).



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org