-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Upgrade OkHttp3 to address CVE-2021-0341 #13065
Conversation
* Upgrade OkHttp3 from 3.14.9 to 4.9.3 * Upgrade Okio to the same version of OkHttp3 4.9.3 * Override Okio transitive dependency - Kotlin stdlib - to 1.4.32 in order to address CVE-2020-29582
<!-- keep using okhttp3 3.x for Presto --> | ||
<okhttp3.version>3.14.9</okhttp3.version> | ||
<!-- use okio version that matches the okhttp3 version --> | ||
<okio.version>1.17.2</okio.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is a different version of okio used in this pom from the main pom?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the pom of presto-sql which is going to be moved to the presto repository (see PIP-62)
I don't want to introduce potential problems here, so I left the current version for okhttp3 and okio (for okio: I forced the same one used by okhttp3)
* Upgrade OkHttp3 from 3.14.9 to 4.9.3 * Upgrade Okio to the same version of OkHttp3 4.9.3 * Override Okio transitive dependency - Kotlin stdlib - to 1.4.32 in order to address CVE-2020-29582 (cherry picked from commit d24faac)
* Upgrade OkHttp3 from 3.14.9 to 4.9.3 * Upgrade Okio to the same version of OkHttp3 4.9.3 * Override Okio transitive dependency - Kotlin stdlib - to 1.4.32 in order to address CVE-2020-29582
Motivation
Current OkHttp3 version - 3.14.9 - has an open CVE (https://nvd.nist.gov/vuln/detail/CVE-2021-0341) with a score of 7.5.
OkHttp3 is used by Java Kubernetes Client (currently only used by Pulsar Function Worker in "kubernetes" mode)
I upgraded to the latest stable release (4.9.3) where a fix for the CVE has been committed. The OkHttp3 team claims that 3.x and 4.x are fully compatibles (at least the java library)
Upgrading OkHttp3 and Okio, there is a new transitive dependency - Kotlin Standard Lib (licensed under Apache 2.0)
Unfortunately, the
kotlin-stdlib
version used by Okio and OkHttp3 has, in turn, a CVE open (https://nvd.nist.gov/vuln/detail/CVE-2020-29582); in order to not introduce another vulnerability, I've overridden the version with latest stable one (1.4.32)Modifications
Verifying this change
The change must be verified deploying and testing a Pulsar Function with
runtime
set tokubernetes
. (I already performed this kind of test)Does this pull request potentially affect one of the following parts:
If
yes
was chosen, please highlight the changesDocumentation
no-need-doc