[jira] [Commented] (HADOOP-19578) Upgrade com.huaweicloud:esdk-obs-java for CVE-2023-3635

Sun, 25 May 2025 22:42:18 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-19578?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17953989#comment-17953989
 ] 

ASF GitHub Bot commented on HADOOP-19578:
-----------------------------------------

slfan1989 commented on code in PR #7707:
URL: https://github.com/apache/hadoop/pull/7707#discussion_r2106551943


##########
hadoop-cloud-storage-project/hadoop-huaweicloud/pom.xml:
##########
@@ -29,7 +29,7 @@
   <properties>
     <file.encoding>UTF-8</file.encoding>
     <downloadSources>true</downloadSources>
-    <esdk.version>3.20.4.2</esdk.version>
+    <esdk.version>3.25.4</esdk.version>

Review Comment:
   
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7707/1/artifact/out/patch-mvninstall-hadoop-cloud-storage-project_hadoop-huaweicloud.txt
   
   [ERROR] Dependency convergence error for com.squareup.okio:okio:jar:3.6.0 
paths to dependency are:
   [ERROR] +-org.apache.hadoop:hadoop-huaweicloud:jar:3.5.0-SNAPSHOT
   [ERROR]   +-com.huaweicloud:esdk-obs-java:jar:3.25.4:compile
   [ERROR]     +-com.squareup.okhttp3:okhttp:jar:4.12.0:compile
   [ERROR]       +-com.squareup.okio:okio:jar:3.6.0:compile
   [ERROR] and
   [ERROR] +-org.apache.hadoop:hadoop-huaweicloud:jar:3.5.0-SNAPSHOT
   [ERROR]   +-com.huaweicloud:esdk-obs-java:jar:3.25.4:compile
   [ERROR]     +-com.squareup.okio:okio:jar:3.8.0:compile
   
   We need to resolve this compilation error.
   





> Upgrade com.huaweicloud:esdk-obs-java for CVE-2023-3635
> -------------------------------------------------------
>
>                 Key: HADOOP-19578
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19578
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: cloud-storage, huaweicloud
>    Affects Versions: 3.3.6, 3.4.1
>            Reporter: Yaniv Kunda
>            Priority: Major
>              Labels: pull-request-available
>
> The {{com.huaweicloud:esdk-obs-java}} dependency , used exclusively by the 
> {{hadoop-huaweicloud}} uses {{com.squareup.okio:okio:1.17.2}} which has 
> [CVE-2023-3635|https://nvd.nist.gov/vuln/detail/cve-2023-3635].
> Upgrading it will use a newer fixed version of {{okio}}, which will mitigate 
> the vulnerability.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to