Skip to content

Commit f27336f

Browse files
roczeiroczei
committed
[SPARK-45590][BUILD] Upgrade okio to 1.17.6 from 1.15.0
What changes were proposed in this pull request? This PR aims to upgrade okio from 1.15.0 to 1.17.6. Why are the changes needed? Okio 1.15.0 is vulnerable due to CVE-2023-3635, details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635 Previous attempts to fix this security issue: Update okio to version 1.17.6 apache#5587: fabric8io/kubernetes-client#5587 Followup to Update okio to version 1.17.6 apache#5935: fabric8io/kubernetes-client#5935 Unfortunately it is still using 1.15.0: https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227 https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210 Does this PR introduce any user-facing change? No. How was this patch tested? Pass the CIs. Was this patch authored or co-authored using generative AI tooling? No.
1 parent 02795a3 commit f27336f

File tree

2 files changed

+7
-1
lines changed

2 files changed

+7
-1
lines changed

dev/deps/spark-deps-hadoop-3-hive-2.3

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -224,7 +224,7 @@ netty-transport-native-unix-common/4.1.110.Final//netty-transport-native-unix-co
224224
netty-transport/4.1.110.Final//netty-transport-4.1.110.Final.jar
225225
objenesis/3.3//objenesis-3.3.jar
226226
okhttp/3.12.12//okhttp-3.12.12.jar
227-
okio/1.15.0//okio-1.15.0.jar
227+
okio/1.17.6//okio-1.17.6.jar
228228
opencsv/2.3//opencsv-2.3.jar
229229
opentracing-api/0.33.0//opentracing-api-0.33.0.jar
230230
opentracing-noop/0.33.0//opentracing-noop-0.33.0.jar

pom.xml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,7 @@
231231
<!-- org.fusesource.leveldbjni will be used except on arm64 platform. -->
232232
<leveldbjni.group>org.fusesource.leveldbjni</leveldbjni.group>
233233
<kubernetes-client.version>6.13.2</kubernetes-client.version>
234+
<okio.version>1.17.6</okio.version>
234235

235236
<test.java.home>${java.home}</test.java.home>
236237

@@ -2872,6 +2873,11 @@
28722873
<artifactId>javax.servlet-api</artifactId>
28732874
<version>${javaxservlet.version}</version>
28742875
</dependency>
2876+
<dependency>
2877+
<groupId>com.squareup.okio</groupId>
2878+
<artifactId>okio</artifactId>
2879+
<version>${okio.version}</version>
2880+
</dependency>
28752881
</dependencies>
28762882
</dependencyManagement>
28772883

0 commit comments

Comments
 (0)