[
https://issues.apache.org/jira/browse/HADOOP-18350?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17571994#comment-17571994
]
Steve Loughran edited comment on HADOOP-18350 at 7/27/22 3:19 PM:
------------------------------------------------------------------
bqThere are CVEs on io.netty dependencies which is again comes through
aws-java-sdk-bundle.
So will that be taken care of?
whatever is in the release is fixed. as these are in shaded jars, the only use
made of these repackaged dependencies is that aws sdk. which, if you only use
the s3a client, doesn't use jackson databind *or* netty.
was (Author: [email protected]):
> There are CVEs on io.netty dependencies which is again comes through
> aws-java-sdk-bundle.
So will that be taken care of?
# we are an open source project who depend on the effort of the community. If
you want things on a timescale which meets your need, it becomes your homework.
# you can just use the unshaded aws sdk components if you get your classpath
right. so consider doing that in your deployments
> Support for hadoop-aws with aws-java-sdk-bundle with version greater than
> 1.12.220
> ----------------------------------------------------------------------------------
>
> Key: HADOOP-18350
> URL: https://issues.apache.org/jira/browse/HADOOP-18350
> Project: Hadoop Common
> Issue Type: Wish
> Components: fs/s3
> Reporter: Bilna
> Priority: Major
>
> There are CVEs like CVE-2021-37137 and many, listed from
> aws-java-sdk-bundle with version 1.11.375 and the fix is available in
> versions higher than 1.12.220. It will be great if we have a hadoop-aws with
> aws-java-sdk-bundle.jar with latest version. Will you be able to provide the
> same? If so may I know approximately when can I expect it?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
