You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "Eugene Shinn (Truveta) (Jira)" <ji...@apache.org> on 2022/01/05 19:48:00 UTC
[jira] [Created] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client
Eugene Shinn (Truveta) created HADOOP-18069:
-----------------------------------------------
Summary: CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client
Key: HADOOP-18069
URL: https://issues.apache.org/jira/browse/HADOOP-18069
Project: Hadoop Common
Issue Type: Bug
Components: hdfs-client
Affects Versions: 3.3.1
Reporter: Eugene Shinn (Truveta)
Our static vulnerability scanner (Fortify On Demand) detected [NVD - CVE-2021-0341 (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection] in our application. We traced the vulnerability to a transitive dependency coming from hadoop-hdfs-client, which depends on okhttp@2.7.5 ([hadoop/pom.xml at trunk · apache/hadoop (github.com)|https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]). To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref: [CVE-2021-0341 · Issue #6724 · square/okhttp (github.com)|https://github.com/square/okhttp/issues/6724]).
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org
Re: [jira] [Created] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client
Posted by "张铎(Duo Zhang)" <pa...@gmail.com>.
https://square.github.io/okhttp/changelog/
The latest stable release is 4.9.1 which was published at 2021.1.30
https://github.com/square/okhttp/commits/master
And there are still lots of commits recently.
I'm not saying we should not remove it in hadoop, just want to point
out that it is still under development and maintenance...
Thanks.
Steve Loughran <st...@cloudera.com.invalid> 于2022年1月7日周五 22:40写道:
>
> okhttp was last updated in 2017
>
> why use this over httpclient? its only used in a couple of places and
> removing it entirely would make this problem go away forever
>
> ---------- Forwarded message ---------
> From: Eugene Shinn (Truveta) (Jira) <ji...@apache.org>
> Date: Wed, 5 Jan 2022 at 19:48
> Subject: [jira] [Created] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5
> detected in hdfs-client
> To: <co...@hadoop.apache.org>
>
>
> Eugene Shinn (Truveta) created HADOOP-18069:
> -----------------------------------------------
>
> Summary: CVE-2021-0341 in okhttp@2.7.5 detected in
> hdfs-client
> Key: HADOOP-18069
> URL: https://issues.apache.org/jira/browse/HADOOP-18069
> Project: Hadoop Common
> Issue Type: Bug
> Components: hdfs-client
> Affects Versions: 3.3.1
> Reporter: Eugene Shinn (Truveta)
>
>
> Our static vulnerability scanner (Fortify On Demand) detected [NVD -
> CVE-2021-0341 (nist.gov)|
> https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection] in
> our application. We traced the vulnerability to a transitive dependency
> coming from hadoop-hdfs-client, which depends on okhttp@2.7.5
> ([hadoop/pom.xml at trunk · apache/hadoop (github.com)|
> https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]).
> To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref:
> [CVE-2021-0341 · Issue #6724 · square/okhttp (github.com)|
> https://github.com/square/okhttp/issues/6724]).
>
>
>
> --
> This message was sent by Atlassian Jira
> (v8.20.1#820001)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
> For additional commands, e-mail: common-dev-help@hadoop.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org
Fwd: [jira] [Created] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client
Posted by Steve Loughran <st...@cloudera.com.INVALID>.
okhttp was last updated in 2017
why use this over httpclient? its only used in a couple of places and
removing it entirely would make this problem go away forever
---------- Forwarded message ---------
From: Eugene Shinn (Truveta) (Jira) <ji...@apache.org>
Date: Wed, 5 Jan 2022 at 19:48
Subject: [jira] [Created] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5
detected in hdfs-client
To: <co...@hadoop.apache.org>
Eugene Shinn (Truveta) created HADOOP-18069:
-----------------------------------------------
Summary: CVE-2021-0341 in okhttp@2.7.5 detected in
hdfs-client
Key: HADOOP-18069
URL: https://issues.apache.org/jira/browse/HADOOP-18069
Project: Hadoop Common
Issue Type: Bug
Components: hdfs-client
Affects Versions: 3.3.1
Reporter: Eugene Shinn (Truveta)
Our static vulnerability scanner (Fortify On Demand) detected [NVD -
CVE-2021-0341 (nist.gov)|
https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection] in
our application. We traced the vulnerability to a transitive dependency
coming from hadoop-hdfs-client, which depends on okhttp@2.7.5
([hadoop/pom.xml at trunk · apache/hadoop (github.com)|
https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]).
To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref:
[CVE-2021-0341 · Issue #6724 · square/okhttp (github.com)|
https://github.com/square/okhttp/issues/6724]).
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org