Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update okio to version 1.17.6 #5587

Merged
merged 2 commits into from Dec 12, 2023
Merged

Update okio to version 1.17.6 #5587

merged 2 commits into from Dec 12, 2023

Conversation

bjornjorgensen
Copy link
Contributor

@bjornjorgensen bjornjorgensen commented Nov 14, 2023
edited

Description

This is a PR to fix CVE-2023-3635
The patch has been backported to branch 1.x thru square/okio#1334

fix #5485

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • Feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change
  • Chore (non-breaking change which doesn't affect codebase;
    test, version modification, documentation, etc.)

Checklist

  • Code contributed by me aligns with current project license: Apache 2.0
  • I Added CHANGELOG entry regarding this change
  • I have implemented unit tests to cover my changes
  • I have added/updated the javadocs and other documentation accordingly
  • No new bugs, code smells, etc. in SonarCloud report
  • I tested my code in Kubernetes
  • I tested my code in OpenShift

@sunix
Copy link
Collaborator

sunix commented Nov 24, 2023

@bjornjorgensen I have rebased your branch, let me know if it's an issue

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Nov 24, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

warning The version of Java (11.0.21) you have used to run this analysis is deprecated and we will stop accepting it soon. Please update to at least Java 17.
Read more here

@bjornjorgensen
Copy link
Contributor Author

@manusa is this PR ok?

@oscerd
Copy link
Member

oscerd commented Dec 12, 2023

LGTM @manusa

@manusa
Copy link
Member

manusa commented Dec 12, 2023

The PR is OK, we can merge it for now.

However, the overall idea is to get rid of the dependency: #5632

@manusa manusa added this to the 6.10.0 milestone Dec 12, 2023
@manusa manusa merged commit 9aacb48 into fabric8io:main Dec 12, 2023
19 of 20 checks passed
@bjornjorgensen bjornjorgensen deleted the oki-1.17.6 branch December 12, 2023 11:07
@bjornjorgensen bjornjorgensen mentioned this pull request Jan 10, 2024
Closed
dongjoon-hyun pushed a commit to apache/spark that referenced this pull request Jan 11, 2024
@bjornjorgensen @dongjoon-hyun
[SPARK-46662][K8S][BUILD] Upgrade kubernetes-client to 6.10.0
dcfd37c 
### What changes were proposed in this pull request?
Upgrade `kubernetes-client` from 6.9.1 to 6.10.0
[Release notes 6.10.0](https://github.com/fabric8io/kubernetes-client/releases/tag/v6.10.0)
[Release notes 6.9.2](https://github.com/fabric8io/kubernetes-client/releases/tag/v6.9.2)

### Why are the changes needed?

[Updated okio to version 1.17.6 to avoid CVE-2023-3635](fabric8io/kubernetes-client#5587)
[Upgrade Kubernetes Model to Kubernetes v1.29.0](fabric8io/kubernetes-client#5686)

### Does this PR introduce _any_ user-facing change?
No.

### How was this patch tested?
Pass GA

### Was this patch authored or co-authored using generative AI tooling?
No.

Closes #44672 from bjornjorgensen/kubclient6.10.

Authored-by: Bjørn Jørgensen <bjornjorgensen@gmail.com>
Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
@bjornjorgensen
Copy link
Contributor Author

Hi, we are checking apache spark now hoping to have a new version 4.0.
According to SNYK
image
This PR diden't help that mutch
image
okhttp-3.12.12 does load okio 1.15.0 https://github.com/square/okhttp/blob/05e4ceef3f2aa117b42fa2db3fc79d58c53b7704/pom.xml#L59

even okhttp 3.14.9 https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/3.14.9 have this CVE

@swankjesse any planes to update okhttp version 3.12.X ?

@dongjoon-hyun FYI

@rohanKanojia
Copy link
Member

rohanKanojia commented Apr 22, 2024
edited

@bjornjorgensen : KubernetesClient offers alternatives to switching underlying HTTPClient . You can exclude io.fabric8:kubernetes-httpclient-okhttp dependency and use io.fabric8:kubernetes-httpclient-jdk, io.fabric8:kubernetes-httpclient-vertx or io.fabric8:kubernetes-httpclient-jetty.

For more information, please see https://github.com/fabric8io/kubernetes-client/blob/main/doc/MIGRATION-v6.md#apiimpl-split

@bjornjorgensen bjornjorgensen mentioned this pull request Apr 22, 2024
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manusa manusa manusa approved these changes

@sunix sunix sunix approved these changes

@oscerd oscerd oscerd approved these changes

@rohanKanojia rohanKanojia Awaiting requested review from rohanKanojia rohanKanojia is a code owner

@shawkins shawkins Awaiting requested review from shawkins shawkins is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
6.10.0
Development

Successfully merging this pull request may close these issues.

Upgrade okio-jvm dependency
5 participants
@bjornjorgensen @sunix @oscerd @manusa @rohanKanojia