Vyacheslav Tutrinov created HDDS-10600:
------------------------------------------
Summary: Bump numbus-jose-jwt version
Key: HDDS-10600
URL: https://issues.apache.org/jira/browse/HDDS-10600
Project: Apache Ozone
Issue Type: Task
Affects Versions: 1.5.0
Reporter: Vyacheslav Tutrinov
Assignee: Vyacheslav Tutrinov
It's a continuation of the investigation made in HDDS-10589
hdds-hadoop-dependency-(client|server) modules depends on hadoop-common, the
latter depends on com.nimbusds:nimbus-jose-jwt:9.8.1 (through
org.apache.hadoop:hadoop-auth).
The 9.8.1th version of the com.nimbusds:nimbus-jose-jwt library contains a
shaded version of the net.minidev:json-smart:1.3.2
(https://bitbucket.org/connect2id/nimbus-jose-jwt/src/815b98228df7be7b918ae368ea003a034768f769/pom.xml#lines-59)
that has a CVE - https://nvd.nist.gov/vuln/detail/CVE-2021-31684.
The nearest version of the nimbus-jose-jwt that doesn't have the CVE is 9.24 -
there the json-smart library was replaced with com.google.code.gson:gson.
Hence, we need to exclude nimbus-jose-jwt dependency from the hadoop-common
transitive dependencies list in hdds-hadoop-dependency-(client|server) modules
and include it directly with the certain version (9.24)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
