[
https://issues.apache.org/jira/browse/HADOOP-18317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Olson resolved HADOOP-18317.
-----------------------------------
Assignee: Andrew Olson
Resolution: Done
> Clarify in which branch CVE-2022-26612 is fixed
> -----------------------------------------------
>
> Key: HADOOP-18317
> URL: https://issues.apache.org/jira/browse/HADOOP-18317
> Project: Hadoop Common
> Issue Type: Task
> Components: common
> Reporter: Alex Dettinger
> Assignee: Andrew Olson
> Priority: Major
>
> According to HADOOP-18198, CVE-2022-26612 has been fixed in version 3.3.3.
> The underlying ticket where the fix occured is HADOOP-18155. This ticket has
> fix version including 2.10.2.
> On top of that, it's clear to me that CVE-2022-26612 is fixed in
> hadoop-common:2.10.2.
> Howerver, it is still reported as an issue in different places:
> * [https://github.com/advisories/GHSA-gx2c-fvhc-ph4j]
> * [https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common/2.10.2]
> It may just be a false positive in a CVE database, still I prefer to
> double-check with the hadoop community.
> So, could you please state here whether CVE-2022-26612 is really fixed in
> below version of hadoop-common ?
> * >= 2.10.2
> * >= 3.2.3
> * >= 3.3.3
> * >= 3.4.0
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
