This is an automated email from the ASF dual-hosted git repository.
stevel pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new 896fc596980 HADOOP-19764. Upgrade amazon-s3-encryption-client-java to
4.0.0+ due to Invisible Salamanders (CVE-2025-14763) (#8158)
896fc596980 is described below
commit 896fc596980c8d3a7d7d841a92414fe08514444b
Author: PJ Fanning <[email protected]>
AuthorDate: Mon Jan 5 21:33:11 2026 +0100
HADOOP-19764. Upgrade amazon-s3-encryption-client-java to 4.0.0+ due to
Invisible Salamanders (CVE-2025-14763) (#8158)
This CVE is graded medium (5.3).
It is only an issue if client side S3 encryption (S3-CSE) is used.
Contributed by PJ Fanning.
---
hadoop-project/pom.xml | 2 +-
.../java/org/apache/hadoop/fs/s3a/impl/EncryptionS3ClientFactory.java | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index f43f3a42c14..40891e73cb7 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -212,7 +212,7 @@
<surefire.fork.timeout>900</surefire.fork.timeout>
<aws-java-sdk.version>1.12.720</aws-java-sdk.version>
<aws-java-sdk-v2.version>2.35.4</aws-java-sdk-v2.version>
-
<amazon-s3-encryption-client-java.version>3.1.1</amazon-s3-encryption-client-java.version>
+
<amazon-s3-encryption-client-java.version>4.0.0</amazon-s3-encryption-client-java.version>
<amazon-s3-analyticsaccelerator-s3.version>1.3.1</amazon-s3-analyticsaccelerator-s3.version>
<aws.eventstream.version>1.0.1</aws.eventstream.version>
<hsqldb.version>2.7.1</hsqldb.version>
diff --git
a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/EncryptionS3ClientFactory.java
b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/EncryptionS3ClientFactory.java
index 79c5b075663..3c2756dfb05 100644
---
a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/EncryptionS3ClientFactory.java
+++
b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/EncryptionS3ClientFactory.java
@@ -154,7 +154,7 @@ private S3Client
createS3EncryptionClient(S3ClientCreationParameters parameters)
"S3ClientCreationParameters is not initialized");
S3EncryptionClient.Builder s3EncryptionClientBuilder =
- S3EncryptionClient.builder()
+ S3EncryptionClient.builderV4()
.wrappedAsyncClient(s3AsyncClient)
.wrappedClient(s3Client)
// this is required for doing S3 ranged GET calls
@@ -239,7 +239,7 @@ private S3AsyncClient
createS3AsyncEncryptionClient(S3ClientCreationParameters p
"S3ClientCreationParameters is not initialized");
S3AsyncEncryptionClient.Builder s3EncryptionAsyncClientBuilder =
- S3AsyncEncryptionClient.builder()
+ S3AsyncEncryptionClient.builderV4()
.wrappedClient(s3AsyncClient)
// this is required for doing S3 ranged GET calls
.enableLegacyUnauthenticatedModes(true)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
