You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "Ivan Viaznikov (Jira)" <ji...@apache.org> on 2022/02/10 08:14:00 UTC
[jira] [Created] (HDFS-16453) okhttp vulnerable library update
Ivan Viaznikov created HDFS-16453:
-------------------------------------
Summary: okhttp vulnerable library update
Key: HDFS-16453
URL: https://issues.apache.org/jira/browse/HDFS-16453
Project: Hadoop HDFS
Issue Type: Wish
Components: hdfs-client
Affects Versions: 3.3.1
Reporter: Ivan Viaznikov
{{org.apache.hadoop:hadoop-hdfs-client}} comes with {{com.squareup.okhttp:okhttp:2.7.5}} as a dependency, which is vulnerable to an information disclosure issue due to how the contents of sensitive headers, such as the {{Authorization}} header, can be logged when an {{IllegalArgumentException}} is thrown.
This issue could allow an attacker or malicious user who has access to the logs to obtain the sensitive contents of the affected headers which could facilitate further attacks.
Fixed in {{5.0.0-alpha3}} by [this|https://github.com/square/okhttp/commit/dcc6483b7dc6d9c0b8e03ff7c30c13f3c75264a5] commit. The fix was cherry-picked and backported into {{4.9.2}} with [this|https://github.com/square/okhttp/commit/1fd7c0afdc2cee9ba982b07d49662af7f60e1518] commit.
Requesting you to clarify if this dependency will be updated to a fixed version in the following releases
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org