Home Explore Help
Register Sign In
apache
/
hadoop
mirror of https://github.com/apache/hadoop.git
2
0
Fork 1
Files Issues 0 Wiki
Browse Source

HADOOP-18496. Upgrade okhttp3 and dependencies due to kotlin CVEs (#5035)

Updates okhttp3 and okio so their transitive dependency on Kotlin
stdlib is free from recent CVEs.

okhttp3:okhttp => 4.10.0
okio:okio => 3.2.0
kotlin stdlib => 1.6.20

kotlin CVEs fixed:
 CVE-2022-24329
 CVE-2020-29582
 
Contributed by PJ Fanning.
PJ Fanning 2 years ago
parent
5bb11cecea
commit
d340c4a7a1
5 changed files with 43 additions and 6 deletions
Split View Show Diff Stats
  1. 2 2
      LICENSE-binary
  2. 2 0
      hadoop-client-modules/hadoop-client-runtime/pom.xml
  3. 5 0
      hadoop-common-project/hadoop-common/pom.xml
  4. 10 0
      hadoop-hdfs-project/hadoop-hdfs-client/pom.xml
  5. 24 4
      hadoop-project/pom.xml

+ 2 - 2
LICENSE-binary
View File 

@@ -241,8 +241,8 @@ com.google.guava:guava:27.0-jre
 
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 
 com.microsoft.azure:azure-storage:7.0.0
 
 com.nimbusds:nimbus-jose-jwt:9.8.1
 
-com.squareup.okhttp3:okhttp:4.9.3
 
-com.squareup.okio:okio:1.6.0
 
+com.squareup.okhttp3:okhttp:4.10.0
 
+com.squareup.okio:okio:3.2.0
 
 com.zaxxer:HikariCP:4.0.3
 
 commons-beanutils:commons-beanutils:1.9.3
 
 commons-cli:commons-cli:1.2

+ 2 - 0
hadoop-client-modules/hadoop-client-runtime/pom.xml
View File 

@@ -157,6 +157,8 @@
 
                       <exclude>org.bouncycastle:*</exclude>
 
                       <!-- Leave snappy that includes native methods which cannot be relocated. -->
 
                       <exclude>org.xerial.snappy:*</exclude>
 
+                      <!-- leave out kotlin classes -->
 
+                      <exclude>org.jetbrains.kotlin:*</exclude>
 
                     </excludes>
 
                   </artifactSet>
 
                   <filters>

+ 5 - 0
hadoop-common-project/hadoop-common/pom.xml
View File 

@@ -383,6 +383,11 @@
 
       <artifactId>mockwebserver</artifactId>
 
       <scope>test</scope>
 
     </dependency>
 
+    <dependency>
 
+      <groupId>com.squareup.okio</groupId>
 
+      <artifactId>okio-jvm</artifactId>
 
+      <scope>test</scope>
 
+    </dependency>
 
     <dependency>
 
       <groupId>dnsjava</groupId>
 
       <artifactId>dnsjava</artifactId>

+ 10 - 0
hadoop-hdfs-project/hadoop-hdfs-client/pom.xml
View File 

@@ -37,6 +37,16 @@ https://maven.apache.org/xsd/maven-4.0.0.xsd">
 
     <dependency>
 
       <groupId>com.squareup.okhttp3</groupId>
 
       <artifactId>okhttp</artifactId>
 
+      <exclusions>
 
+        <exclusion>
 
+          <groupId>com.squareup.okio</groupId>
 
+          <artifactId>okio-jvm</artifactId>
 
+        </exclusion>
 
+      </exclusions>
 
+    </dependency>
 
+    <dependency>
 
+      <groupId>com.squareup.okio</groupId>
 
+      <artifactId>okio-jvm</artifactId>
 
     </dependency>
 
     <dependency>
 
       <groupId>org.jetbrains.kotlin</groupId>

+ 24 - 4
hadoop-project/pom.xml
View File 

@@ -132,9 +132,10 @@
 
     <hikari.version>4.0.3</hikari.version>
 
     <mssql.version>6.2.1.jre7</mssql.version>
 
     <okhttp.version>2.7.5</okhttp.version>
 
-    <okhttp3.version>4.9.3</okhttp3.version>
 
-    <kotlin-stdlib.verion>1.4.10</kotlin-stdlib.verion>
 
-    <kotlin-stdlib-common.version>1.4.10</kotlin-stdlib-common.version>
 
+    <okhttp3.version>4.10.0</okhttp3.version>
 
+    <okio.version>3.2.0</okio.version>
 
+    <kotlin-stdlib.verion>1.6.20</kotlin-stdlib.verion>
 
+    <kotlin-stdlib-common.version>1.6.20</kotlin-stdlib-common.version>
 
     <jdom2.version>2.0.6.1</jdom2.version>
 
     <jna.version>5.2.0</jna.version>
 
     <grizzly.version>2.2.21</grizzly.version>
 
@@ -234,8 +235,17 @@
 
             <groupId>org.jetbrains.kotlin</groupId>
 
             <artifactId>kotlin-stdlib-common</artifactId>
 
           </exclusion>
 
+          <exclusion>
 
+            <groupId>com.squareup.okio</groupId>
 
+            <artifactId>okio-jvm</artifactId>
 
+          </exclusion>
 
         </exclusions>
 
       </dependency>
 
+      <dependency>
 
+        <groupId>com.squareup.okio</groupId>
 
+        <artifactId>okio-jvm</artifactId>
 
+        <version>${okio.version}</version>
 
+      </dependency>
 
       <dependency>
 
         <groupId>org.jetbrains.kotlin</groupId>
 
         <artifactId>kotlin-stdlib</artifactId>
 
@@ -255,8 +265,18 @@
 
       <dependency>
 
         <groupId>com.squareup.okhttp3</groupId>
 
         <artifactId>mockwebserver</artifactId>
 
-        <version>4.9.3</version>
 
+        <version>${okhttp3.version}</version>
 
         <scope>test</scope>
 
+        <exclusions>
 
+          <exclusion>
 
+            <groupId>com.squareup.okio</groupId>
 
+            <artifactId>okio-jvm</artifactId>
 
+          </exclusion>
 
+          <exclusion>
 
+            <groupId>org.jetbrains.kotlin</groupId>
 
+            <artifactId>kotlin-stdlib-jdk8</artifactId>
 
+          </exclusion>
 
+        </exclusions>
 
       </dependency>
 
       <dependency>
 
         <groupId>jdiff</groupId>