Skip to content

Commit

Permalink
[SPARK-45590][BUILD] Upgrade okio to 1.17.6 from 1.15.0
Browse files Browse the repository at this point in the history 
What changes were proposed in this pull request?

This PR aims to upgrade okio from 1.15.0 to 1.17.6.

Why are the changes needed?

Okio 1.15.0 is vulnerable due to CVE-2023-3635, details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Previous attempts to fix this security issue:

Update okio to version 1.17.6 apache#5587: fabric8io/kubernetes-client#5587
Followup to Update okio to version 1.17.6 apache#5935: fabric8io/kubernetes-client#5935

Unfortunately it is still using 1.15.0:

https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227
https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210

Does this PR introduce any user-facing change?

No.

How was this patch tested?

Pass the CIs.

Was this patch authored or co-authored using generative AI tooling?

No.
  • Loading branch information
@roczei
roczei committed Aug 14, 2024
1 parent 02795a3 commit f27336f
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 1 deletion.
2 changes: 1 addition & 1 deletion dev/deps/spark-deps-hadoop-3-hive-2.3
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ netty-transport-native-unix-common/4.1.110.Final//netty-transport-native-unix-co
netty-transport/4.1.110.Final//netty-transport-4.1.110.Final.jar
objenesis/3.3//objenesis-3.3.jar
okhttp/3.12.12//okhttp-3.12.12.jar
okio/1.15.0//okio-1.15.0.jar
okio/1.17.6//okio-1.17.6.jar
opencsv/2.3//opencsv-2.3.jar
opentracing-api/0.33.0//opentracing-api-0.33.0.jar
opentracing-noop/0.33.0//opentracing-noop-0.33.0.jar
Expand Down
6 changes: 6 additions & 0 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,7 @@
<!-- org.fusesource.leveldbjni will be used except on arm64 platform. -->
<leveldbjni.group>org.fusesource.leveldbjni</leveldbjni.group>
<kubernetes-client.version>6.13.2</kubernetes-client.version>
<okio.version>1.17.6</okio.version>

<test.java.home>${java.home}</test.java.home>

Expand Down Expand Up @@ -2872,6 +2873,11 @@
<artifactId>javax.servlet-api</artifactId>
<version>${javaxservlet.version}</version>
</dependency>
<dependency>
<groupId>com.squareup.okio</groupId>
<artifactId>okio</artifactId>
<version>${okio.version}</version>
</dependency>
</dependencies>
</dependencyManagement>

Expand Down

0 comments on commit f27336f

Please sign in to comment.