[
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17617623#comment-17617623
]
PJ Fanning commented on HADOOP-18496:
-------------------------------------
[[email protected]] looks like the kotlin dependencies were brought in because
of okhttp3.
Hadoop trunk uses okhttp3 4.9.3 and the kotlin version used in Hadoop matches
what okhttp3 4.9.3 needs.
If we were to upgrade kotlin due to the CVEs, we would probably need to upgrade
to okhttp3 4.10.0 which relies on kotlin-stdlib 1.6.20.
> upgrade kotlin-stdlib due to CVEs
> ---------------------------------
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: PJ Fanning
> Priority: Major
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version
> of kotlin-stdlib used in Hadoop.
> * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
> * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar
> altogether (currently 1.7.20).
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
