Skip to content

Commit c8cf394

Browse files
roczeiyaooqinn
roczei
authored and
yaooqinn
committed
[SPARK-45590][BUILD] Upgrade okio to 1.17.6 from 1.15.0
### What changes were proposed in this pull request? This PR aims to upgrade `okio` from 1.15.0 to 1.17.6. ### Why are the changes needed? Okio 1.15.0 is vulnerable due to CVE-2023-3635, details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635 Previous attempts to fix this security issue: Update okio to version 1.17.6 #5587: fabric8io/kubernetes-client#5587 Followup to Update okio to version 1.17.6 #5935: fabric8io/kubernetes-client#5935 Unfortunately it is still using 1.15.0: https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227 https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass the CIs. ### Was this patch authored or co-authored using generative AI tooling? No. Closes #47758 from roczei/SPARK-45590. Authored-by: Gabor Roczei <roczei@cloudera.com> Signed-off-by: Kent Yao <yao@apache.org>
1 parent d8bb37e commit c8cf394

File tree

2 files changed

+7
-1
lines changed

2 files changed

+7
-1
lines changed

dev/deps/spark-deps-hadoop-3-hive-2.3

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -224,7 +224,7 @@ netty-transport-native-unix-common/4.1.110.Final//netty-transport-native-unix-co
224224
netty-transport/4.1.110.Final//netty-transport-4.1.110.Final.jar
225225
objenesis/3.3//objenesis-3.3.jar
226226
okhttp/3.12.12//okhttp-3.12.12.jar
227-
okio/1.15.0//okio-1.15.0.jar
227+
okio/1.17.6//okio-1.17.6.jar
228228
opencsv/2.3//opencsv-2.3.jar
229229
opentracing-api/0.33.0//opentracing-api-0.33.0.jar
230230
opentracing-noop/0.33.0//opentracing-noop-0.33.0.jar

pom.xml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,7 @@
231231
<!-- org.fusesource.leveldbjni will be used except on arm64 platform. -->
232232
<leveldbjni.group>org.fusesource.leveldbjni</leveldbjni.group>
233233
<kubernetes-client.version>6.13.2</kubernetes-client.version>
234+
<okio.version>1.17.6</okio.version>
234235

235236
<test.java.home>${java.home}</test.java.home>
236237

@@ -2872,6 +2873,11 @@
28722873
<artifactId>javax.servlet-api</artifactId>
28732874
<version>${javaxservlet.version}</version>
28742875
</dependency>
2876+
<dependency>
2877+
<groupId>com.squareup.okio</groupId>
2878+
<artifactId>okio</artifactId>
2879+
<version>${okio.version}</version>
2880+
</dependency>
28752881
</dependencies>
28762882
</dependencyManagement>
28772883

0 commit comments

Comments
 (0)