[
https://issues.apache.org/jira/browse/HDDS-10600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Doroszlai resolved HDDS-10600.
-------------------------------------
Fix Version/s: 1.5.0
Resolution: Done
> Bump nimbus-jose-jwt version
> ----------------------------
>
> Key: HDDS-10600
> URL: https://issues.apache.org/jira/browse/HDDS-10600
> Project: Apache Ozone
> Issue Type: Task
> Affects Versions: 1.5.0
> Reporter: Vyacheslav Tutrinov
> Assignee: Vyacheslav Tutrinov
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.5.0
>
>
> It's a continuation of the investigation made in HDDS-10589
> hdds-hadoop-dependency-(client|server) modules depend on hadoop-common, the
> latter depends on com.nimbusds:nimbus-jose-jwt:9.8.1 (through
> org.apache.hadoop:hadoop-auth).
> The 9.8.1th version of the com.nimbusds:nimbus-jose-jwt library contains a
> shaded version of the net.minidev:json-smart:1.3.2
> (https://bitbucket.org/connect2id/nimbus-jose-jwt/src/815b98228df7be7b918ae368ea003a034768f769/pom.xml#lines-59)
> that has a CVE - https://nvd.nist.gov/vuln/detail/CVE-2021-31684.
> The nearest version of the nimbus-jose-jwt that doesn't have the CVE is 9.24
> - there the json-smart library was replaced with com.google.code.gson:gson.
> Hence, we need to exclude nimbus-jose-jwt dependency from the hadoop-common
> transitive dependencies list in hdds-hadoop-dependency-(client|server)
> modules and include it directly with the certain version (9.24)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
