From 287a19b8fb919fbdee61e5fe76284c637cda0c35 Mon Sep 17 00:00:00 2001
From: Gabor Roczei <roczei@cloudera.com>
Date: Thu, 15 Aug 2024 13:28:18 +0800
Subject: [PATCH] [SPARK-45590][BUILD][3.4] Upgrade okio to 1.17.6 from 1.15.0

Backport #47758 to 3.4

This PR aims to upgrade `okio` from 1.15.0 to 1.17.6.

Okio 1.15.0 is vulnerable due to CVE-2023-3635,  details: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Previous attempts to fix this security issue:

Update okio to version 1.17.6 #5587: https://github.com/fabric8io/kubernetes-client/pull/5587
Followup to Update okio to version 1.17.6 #5935: https://github.com/fabric8io/kubernetes-client/pull/5935

Unfortunately it is still using 1.15.0:

https://github.com/apache/spark/blob/v4.0.0-preview1/dev/deps/spark-deps-hadoop-3-hive-2.3#L227
https://github.com/apache/spark/blob/v3.5.2/dev/deps/spark-deps-hadoop-3-hive-2.3#L210

No.

Pass the CIs.

No.

Closes #47758 from roczei/SPARK-45590.

Authored-by: Gabor Roczei <roczei@cloudera.com>
Signed-off-by: Kent Yao <yao@apache.org>
(cherry picked from commit c8cf3947a09fb47608a34a9c1f8c2802e6c15499)
---
 dev/deps/spark-deps-hadoop-2-hive-2.3 | 2 +-
 dev/deps/spark-deps-hadoop-3-hive-2.3 | 2 +-
 pom.xml                               | 6 ++++++
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/dev/deps/spark-deps-hadoop-2-hive-2.3 b/dev/deps/spark-deps-hadoop-2-hive-2.3
index 2875ee9d1191..1df44c045336 100644
--- a/dev/deps/spark-deps-hadoop-2-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-2-hive-2.3
@@ -220,7 +220,7 @@ netty-transport-native-unix-common/4.1.87.Final//netty-transport-native-unix-com
 netty-transport/4.1.87.Final//netty-transport-4.1.87.Final.jar
 objenesis/3.2//objenesis-3.2.jar
 okhttp/3.12.12//okhttp-3.12.12.jar
-okio/1.15.0//okio-1.15.0.jar
+okio/1.17.6//okio-1.17.6.jar
 opencsv/2.3//opencsv-2.3.jar
 orc-core/1.8.7/shaded-protobuf/orc-core-1.8.7-shaded-protobuf.jar
 orc-mapreduce/1.8.7/shaded-protobuf/orc-mapreduce-1.8.7-shaded-protobuf.jar
diff --git a/dev/deps/spark-deps-hadoop-3-hive-2.3 b/dev/deps/spark-deps-hadoop-3-hive-2.3
index ddabb0720c37..f0785806d564 100644
--- a/dev/deps/spark-deps-hadoop-3-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-3-hive-2.3
@@ -204,7 +204,7 @@ netty-transport-native-unix-common/4.1.87.Final//netty-transport-native-unix-com
 netty-transport/4.1.87.Final//netty-transport-4.1.87.Final.jar
 objenesis/3.2//objenesis-3.2.jar
 okhttp/3.12.12//okhttp-3.12.12.jar
-okio/1.15.0//okio-1.15.0.jar
+okio/1.17.6//okio-1.17.6.jar
 opencsv/2.3//opencsv-2.3.jar
 opentracing-api/0.33.0//opentracing-api-0.33.0.jar
 opentracing-noop/0.33.0//opentracing-noop-0.33.0.jar
diff --git a/pom.xml b/pom.xml
index 9c70f29162e8..c552ca54e18e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -227,6 +227,7 @@
     <!-- org.fusesource.leveldbjni will be used except on arm64 platform. -->
     <leveldbjni.group>org.fusesource.leveldbjni</leveldbjni.group>
     <kubernetes-client.version>6.4.1</kubernetes-client.version>
+    <okio.version>1.17.6</okio.version>
 
     <test.java.home>${java.home}</test.java.home>
 
@@ -2790,6 +2791,11 @@
         <artifactId>arpack</artifactId>
         <version>${netlib.ludovic.dev.version}</version>
       </dependency>
+      <dependency>
+        <groupId>com.squareup.okio</groupId>
+        <artifactId>okio</artifactId>
+        <version>${okio.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>