Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Followup to Update okio to version 1.17.6 #5935

Merged
merged 1 commit into from
Apr 23, 2024

Conversation

bjornjorgensen
Copy link
Contributor

@bjornjorgensen bjornjorgensen commented Apr 22, 2024

Description

Follow up to Update okio to version 1.17.6 #5587

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • Feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change
  • Chore (non-breaking change which doesn't affect codebase;
    test, version modification, documentation, etc.)

Checklist

  • Code contributed by me aligns with current project license: Apache 2.0
  • I Added CHANGELOG entry regarding this change
  • I have implemented unit tests to cover my changes
  • I have added/updated the javadocs and other documentation accordingly
  • No new bugs, code smells, etc. in SonarCloud report
  • I tested my code in Kubernetes
  • I tested my code in OpenShift

@bjornjorgensen
Copy link
Contributor Author

This seams to be a proper fix

----------------------< io.fabric8:mockwebserver >----------------------
[INFO] Building Fabric8 :: Mock Web Server 6.13-SNAPSHOT [43/151]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:3.6.1:list (default-cli) @ mockwebserver ---
[INFO]
[INFO] The following files have been resolved:
[INFO] com.squareup.okhttp3:mockwebserver:jar:3.12.12:compile -- module okhttp3.mockwebserver [auto]
[INFO] com.squareup.okhttp3:okhttp:jar:3.12.12:compile -- module okhttp3 [auto]
[INFO] com.squareup.okio:okio:jar:1.17.6:compile -- module okio [auto]

com.squareup.okio:okio:jar:1.17.6:test -- module okio [auto]

[INFO] com.squareup.okio:okio:jar:1.17.6:compile -- module okio [auto]

[INFO] com.squareup.okio:okio:jar:1.17.6:runtime -- module okio [auto]

image

Copy link

sonarcloud bot commented Apr 22, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@bjornjorgensen
Copy link
Contributor Author

mvn dependency:tree -Dincludes=com.squareup.okio > dependency-tree.txt
dependency-tree.txt
Now it only show com.squareup.okio:okio:jar:1.17.6

Manjaro
java -version
openjdk version "21.0.2" 2024-01-16
OpenJDK Runtime Environment (build 21.0.2+13)
OpenJDK 64-Bit Server VM (build 21.0.2+13, mixed mode, sharing)

@bjornjorgensen bjornjorgensen changed the title Follup to Update okio to version 1.17.6 Follup to Update okio to version 1.17.6 Apr 22, 2024
@manusa manusa changed the title Follup to Update okio to version 1.17.6 Followup to Update okio to version 1.17.6 Apr 23, 2024
@manusa manusa added this to the 6.13.0 milestone Apr 23, 2024 — with automated-tasks
Copy link
Member

@manusa manusa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thx!

@manusa manusa merged commit eaf7cff into fabric8io:main Apr 23, 2024
20 checks passed
@bjornjorgensen bjornjorgensen deleted the okio_proper branch April 23, 2024 08:07
roczei added a commit to roczei/spark that referenced this pull request Aug 14, 2024
What changes were proposed in this pull request?
This PR aims to upgrade okio from 1.15.0 to 1.17.6.

Why are the changes needed?
Okio 1.15.0 is vulnerable due to CVE-2023-3635, details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Previous attempts to fix this security issue:

Update okio to version 1.17.6 apache#5587: fabric8io/kubernetes-client#5587
Followup to Update okio to version 1.17.6 apache#5935: fabric8io/kubernetes-client#5935

Unfortunately it is still using 1.15.0:

https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227
https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210

Does this PR introduce any user-facing change?
No.

How was this patch tested?
Pass the CIs.

Was this patch authored or co-authored using generative AI tooling?
No.
roczei added a commit to roczei/spark that referenced this pull request Aug 14, 2024
What changes were proposed in this pull request?

This PR aims to upgrade okio from 1.15.0 to 1.17.6.

Why are the changes needed?

Okio 1.15.0 is vulnerable due to CVE-2023-3635, details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Previous attempts to fix this security issue:

Update okio to version 1.17.6 apache#5587: fabric8io/kubernetes-client#5587
Followup to Update okio to version 1.17.6 apache#5935: fabric8io/kubernetes-client#5935

Unfortunately it is still using 1.15.0:

https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227
https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210

Does this PR introduce any user-facing change?

No.

How was this patch tested?

Pass the CIs.

Was this patch authored or co-authored using generative AI tooling?

No.
yaooqinn pushed a commit to apache/spark that referenced this pull request Aug 15, 2024
### What changes were proposed in this pull request?

This PR aims to upgrade `okio` from 1.15.0 to 1.17.6.

### Why are the changes needed?

Okio 1.15.0 is vulnerable due to CVE-2023-3635,  details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Previous attempts to fix this security issue:

Update okio to version 1.17.6 #5587: fabric8io/kubernetes-client#5587
Followup to Update okio to version 1.17.6 #5935: fabric8io/kubernetes-client#5935

Unfortunately it is still using 1.15.0:

https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227
https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

Pass the CIs.

### Was this patch authored or co-authored using generative AI tooling?

No.

Closes #47758 from roczei/SPARK-45590.

Authored-by: Gabor Roczei <roczei@cloudera.com>
Signed-off-by: Kent Yao <yao@apache.org>
roczei added a commit to roczei/spark that referenced this pull request Aug 15, 2024
Backport apache#47758 to 3.5

This PR aims to upgrade `okio` from 1.15.0 to 1.17.6.

Okio 1.15.0 is vulnerable due to CVE-2023-3635,  details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Previous attempts to fix this security issue:

Update okio to version 1.17.6 apache#5587: fabric8io/kubernetes-client#5587
Followup to Update okio to version 1.17.6 apache#5935: fabric8io/kubernetes-client#5935

Unfortunately it is still using 1.15.0:

https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227
https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210

No.

Pass the CIs.

No.

Closes apache#47758 from roczei/SPARK-45590.

Authored-by: Gabor Roczei <roczei@cloudera.com>
Signed-off-by: Kent Yao <yao@apache.org>
(cherry picked from commit c8cf394)
roczei added a commit to roczei/spark that referenced this pull request Aug 15, 2024
Backport apache#47758 to 3.4

This PR aims to upgrade `okio` from 1.15.0 to 1.17.6.

Okio 1.15.0 is vulnerable due to CVE-2023-3635,  details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Previous attempts to fix this security issue:

Update okio to version 1.17.6 apache#5587: fabric8io/kubernetes-client#5587
Followup to Update okio to version 1.17.6 apache#5935: fabric8io/kubernetes-client#5935

Unfortunately it is still using 1.15.0:

https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227
https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210

No.

Pass the CIs.

No.

Closes apache#47758 from roczei/SPARK-45590.

Authored-by: Gabor Roczei <roczei@cloudera.com>
Signed-off-by: Kent Yao <yao@apache.org>
(cherry picked from commit c8cf394)
yaooqinn pushed a commit to apache/spark that referenced this pull request Aug 16, 2024
Backport #47758 to 3.5

### What changes were proposed in this pull request?

This PR aims to upgrade `okio` from 1.15.0 to 1.17.6.

### Why are the changes needed?

Okio 1.15.0 is vulnerable due to CVE-2023-3635,  details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Previous attempts to fix this security issue:

Update okio to version 1.17.6 #5587: fabric8io/kubernetes-client#5587
Followup to Update okio to version 1.17.6 #5935: fabric8io/kubernetes-client#5935

Unfortunately it is still using 1.15.0:

https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227 https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

Pass the CIs.

### Was this patch authored or co-authored using generative AI tooling?

No.

Closes #47769 from roczei/roczei/SPARK-45590-branch-3.5.

Authored-by: Gabor Roczei <roczei@cloudera.com>
Signed-off-by: Kent Yao <yao@apache.org>
yaooqinn pushed a commit to apache/spark that referenced this pull request Aug 16, 2024
Backport #47758 to 3.4

### What changes were proposed in this pull request?

This PR aims to upgrade `okio` from 1.15.0 to 1.17.6.

### Why are the changes needed?

Okio 1.15.0 is vulnerable due to CVE-2023-3635,  details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Previous attempts to fix this security issue:

Update okio to version 1.17.6 #5587: fabric8io/kubernetes-client#5587
Followup to Update okio to version 1.17.6 #5935: fabric8io/kubernetes-client#5935

Unfortunately it is still using 1.15.0:

https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227 https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

Pass the CIs.

### Was this patch authored or co-authored using generative AI tooling?

No.

Closes #47770 from roczei/SPARK-45590-branch-3.4.

Authored-by: Gabor Roczei <roczei@cloudera.com>
Signed-off-by: Kent Yao <yao@apache.org>
IvanK-db pushed a commit to IvanK-db/spark that referenced this pull request Sep 20, 2024
### What changes were proposed in this pull request?

This PR aims to upgrade `okio` from 1.15.0 to 1.17.6.

### Why are the changes needed?

Okio 1.15.0 is vulnerable due to CVE-2023-3635,  details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Previous attempts to fix this security issue:

Update okio to version 1.17.6 apache#5587: fabric8io/kubernetes-client#5587
Followup to Update okio to version 1.17.6 apache#5935: fabric8io/kubernetes-client#5935

Unfortunately it is still using 1.15.0:

https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227
https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

Pass the CIs.

### Was this patch authored or co-authored using generative AI tooling?

No.

Closes apache#47758 from roczei/SPARK-45590.

Authored-by: Gabor Roczei <roczei@cloudera.com>
Signed-off-by: Kent Yao <yao@apache.org>
szehon-ho pushed a commit to szehon-ho/spark that referenced this pull request Sep 24, 2024
Backport apache#47758 to 3.4

This PR aims to upgrade `okio` from 1.15.0 to 1.17.6.

Okio 1.15.0 is vulnerable due to CVE-2023-3635,  details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Previous attempts to fix this security issue:

Update okio to version 1.17.6 apache#5587: fabric8io/kubernetes-client#5587
Followup to Update okio to version 1.17.6 apache#5935: fabric8io/kubernetes-client#5935

Unfortunately it is still using 1.15.0:

https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227 https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210

No.

Pass the CIs.

No.

Closes apache#47770 from roczei/SPARK-45590-branch-3.4.

Authored-by: Gabor Roczei <roczei@cloudera.com>
Signed-off-by: Kent Yao <yao@apache.org>
attilapiros pushed a commit to attilapiros/spark that referenced this pull request Oct 4, 2024
### What changes were proposed in this pull request?

This PR aims to upgrade `okio` from 1.15.0 to 1.17.6.

### Why are the changes needed?

Okio 1.15.0 is vulnerable due to CVE-2023-3635,  details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Previous attempts to fix this security issue:

Update okio to version 1.17.6 apache#5587: fabric8io/kubernetes-client#5587
Followup to Update okio to version 1.17.6 apache#5935: fabric8io/kubernetes-client#5935

Unfortunately it is still using 1.15.0:

https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227
https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

Pass the CIs.

### Was this patch authored or co-authored using generative AI tooling?

No.

Closes apache#47758 from roczei/SPARK-45590.

Authored-by: Gabor Roczei <roczei@cloudera.com>
Signed-off-by: Kent Yao <yao@apache.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants