This is an automated email from the ASF dual-hosted git repository.
stevel pushed a commit to branch branch-3.4
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-3.4 by this push:
new 935bc184fa21 HADOOP-19114. Upgrade to commons-compress 1.26.1 due to
CVEs. (#6636)
935bc184fa21 is described below
commit 935bc184fa21af3d3fde27b07ebac5a031725fc9
Author: PJ Fanning <pjfann...@users.noreply.github.com>
AuthorDate: Fri Jun 7 14:15:22 2024 +0100
HADOOP-19114. Upgrade to commons-compress 1.26.1 due to CVEs. (#6636)
This addresses two CVEs triggered by malformed archives
Important: Denial of Service CVE-2024-25710
Moderate: Denial of Service CVE-2024-26308
Contributed by PJ Fanning
---
LICENSE-binary | 2 +-
.../java/org/apache/hadoop/mapred/uploader/FrameworkUploader.java | 4 ++--
hadoop-project/pom.xml | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/LICENSE-binary b/LICENSE-binary
index 8f73a5def8d9..92d20725b813 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -298,7 +298,7 @@ net.java.dev.jna:jna:5.2.0
net.minidev:accessors-smart:1.2
org.apache.avro:avro:1.9.2
org.apache.commons:commons-collections4:4.2
-org.apache.commons:commons-compress:1.24.0
+org.apache.commons:commons-compress:1.26.1
org.apache.commons:commons-configuration2:2.10.1
org.apache.commons:commons-csv:1.9.0
org.apache.commons:commons-digester:1.8.1
diff --git
a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-uploader/src/main/java/org/apache/hadoop/mapred/uploader/FrameworkUploader.java
b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-uploader/src/main/java/org/apache/hadoop/mapred/uploader/FrameworkUploader.java
index 452078ff8ec0..0408b6c1eacd 100644
---
a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-uploader/src/main/java/org/apache/hadoop/mapred/uploader/FrameworkUploader.java
+++
b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-uploader/src/main/java/org/apache/hadoop/mapred/uploader/FrameworkUploader.java
@@ -22,7 +22,7 @@ import org.apache.hadoop.classification.VisibleForTesting;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
-import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.BlockLocation;
@@ -337,7 +337,7 @@ public class FrameworkUploader implements Runnable {
LOG.info("Adding " + fullPath);
File file = new File(fullPath);
try (FileInputStream inputStream = new FileInputStream(file)) {
- ArchiveEntry entry = out.createArchiveEntry(file, file.getName());
+ TarArchiveEntry entry = out.createArchiveEntry(file, file.getName());
out.putArchiveEntry(entry);
IOUtils.copyBytes(inputStream, out, 1024 * 1024);
out.closeArchiveEntry();
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index 889f8c94b47c..f7b13344ea6c 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -122,7 +122,7 @@
<commons-cli.version>1.5.0</commons-cli.version>
<commons-codec.version>1.15</commons-codec.version>
<commons-collections.version>3.2.2</commons-collections.version>
- <commons-compress.version>1.24.0</commons-compress.version>
+ <commons-compress.version>1.26.1</commons-compress.version>
<commons-csv.version>1.9.0</commons-csv.version>
<commons-io.version>2.14.0</commons-io.version>
<commons-lang3.version>3.12.0</commons-lang3.version>
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-commits-h...@hadoop.apache.org
