[HADOOP-18837] Upgrade Okio to 3.4.0 due to CVE-2023-3635 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.0
Fix Version/s: 3.4.0, 3.3.9
Component/s: common
Labels:
- pull-request-available

Target Version/s:

3.4.0
Hadoop Flags:

Reviewed

Description

Upgrade Okio to 3.4.0 due to CVE-2023-3635

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

CVSSv3 Score:- 7.5(High)

https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Attachments

Issue Links

depends upon

HADOOP-18496 upgrade kotlin-stdlib due to CVEs

Open

links to

GitHub Pull Request #5914

GitHub Pull Request #5961

Activity

People

Assignee:: Rohit Kumar

Reporter:: Rohit Kumar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 02/Aug/23 11:57

Updated:: 27/Jan/24 08:16

Resolved:: 07/Aug/23 12:05