[jira] [Work logged] (HADOOP-18069) CVE-2021-0341 in [email protected] detected in hdfs-client

Thu, 28 Apr 2022 08:17:13 -0700 


     [ 
https://issues.apache.org/jira/browse/HADOOP-18069?focusedWorklogId=763584&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-763584
 ]

ASF GitHub Bot logged work on HADOOP-18069:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 28/Apr/22 15:16
            Start Date: 28/Apr/22 15:16
    Worklog Time Spent: 10m 
      Work Description: aajisaka commented on code in PR #4229:
URL: https://github.com/apache/hadoop/pull/4229#discussion_r860506282


##########
LICENSE-binary:
##########
@@ -242,6 +242,7 @@ 
com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.microsoft.azure:azure-storage:7.0.0
 com.nimbusds:nimbus-jose-jwt:9.8.1
 com.squareup.okhttp:okhttp:2.7.5

Review Comment:
   Would you remove the line `com.squareup.okhttp:okhttp:2.7.5`?





Issue Time Tracking
-------------------

    Worklog Id:     (was: 763584)
    Time Spent: 3h 40m  (was: 3.5h)

> CVE-2021-0341 in [email protected] detected in hdfs-client  
> -------------------------------------------------------
>
>                 Key: HADOOP-18069
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18069
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: hdfs-client
>    Affects Versions: 3.3.1
>            Reporter: Eugene Shinn (Truveta)
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 3h 40m
>  Remaining Estimate: 0h
>
> Our static vulnerability scanner (Fortify On Demand) detected [NVD - 
> CVE-2021-0341 
> (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection]
>  in our application. We traced the vulnerability to a transitive dependency 
> coming from hadoop-hdfs-client, which depends on [email protected] 
> ([hadoop/pom.xml at trunk · apache/hadoop 
> (github.com)|https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]).
>  To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref: 
> [CVE-2021-0341 · Issue #6724 · square/okhttp 
> (github.com)|https://github.com/square/okhttp/issues/6724]).



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to