Shahnoor Alam created HADOOP-19915:
--------------------------------------
Summary: Update libthrift & jetty dependencies for CVEs
Key: HADOOP-19915
URL: https://issues.apache.org/jira/browse/HADOOP-19915
Project: Hadoop Common
Issue Type: Bug
Reporter: Shahnoor Alam
Hello Hadoop Community,
We are actively adopting the new Hadoop 3.5.0 release line for our client
runtimes. However, our enterprise security scanners are surfacing several flags
regarding older third-party versions shaded within
{{{}hadoop-client-runtime-3.5.0.jar{}}}.
For completeness and to help track these against any upcoming JIRAs, here is
the full list of specific vulnerabilities being flagged:
* *Jetty 9.4.58.v20250814* (Addressed upstream in Jetty 9.4.61+)
** CVE-2026-5795
** CVE-2026-2332
* *Libthrift 0.22.0* (Addressed upstream in Libthrift 0.23.0)
** CVE-2025-48431
** CVE-2026-41602
** CVE-2026-41603
** CVE-2026-41604
** CVE-2026-41605
** CVE-2026-41606
** CVE-2026-41607
** CVE-2026-43869
** CVE-2026-43870
Since the upstream fixes for these CVEs were released shortly after Hadoop
3.5.0 was finalized, we understand why they missed the cycle. We wanted to
share this comprehensive list of IDs to ensure they are fully captured for the
planning of the next maintenance release.
Could you please share if there is an active JIRA tracking these dependency
bumps, or an estimated timeline/target date for the Hadoop 3.5.1 maintenance
release?
Thank you again for your hard work on the 3.5.0 release, and we appreciate your
time and assistance!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
