[
https://issues.apache.org/jira/browse/HADOOP-18393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577381#comment-17577381
]
Steve Loughran commented on HADOOP-18393:
-----------------------------------------
All the hadoop CVEs are fixed. Given that we do not announce CVEs until really
we have issued an updated set of artefacts for all all branches which are kept
up to date with is there a security fixes we can manage (2.10.x, 3.2.x, 3.3.x),
can assume that whenever you see a Hadoop CVE it means "you should upgrade to
the latest release on that branch, or, even better to the latest branch we are
shipping.".
As for the other issues, as all our updates are done in public, you can look
through the commit log and JIRA to see the status of those.
I am 100% confident there are other transient dependencies which have issues.
One fundamental problem here is that upgrading some libraries produces a
release which is incompatible at the binary level with many shipping
applications. As a result, they won't upgrade. Which I would make it impossible
to get an upgrade fixing our own CVEs into those projects.
see https://steveloughran.blogspot.com/2022/08/transitive-issues.html for my
thoughts on this.
One dependency which is tractable but for which we need engineering support is
an upgrade of our shaded protobuf library,
https://issues.apache.org/jira/browse/HADOOP-18197
If someone can provide a fix for this which works by the end of the month then
we can get it into the next 3.3.5 release. Are you able and willing to
contribute this? Or at least get involved in testing?
Otherwise, we really need JavaScript experts to help us with keeping the YARN
UI up-to-date.
Either way, we and all other open source projects depend on the contributions
from the broader community including people such as yourself. I anything you
can do here would be very welcome.
Closing as DUPLICATE.
> Hadoop 3.3.2 have CVE coming from dependencies
> ----------------------------------------------
>
> Key: HADOOP-18393
> URL: https://issues.apache.org/jira/browse/HADOOP-18393
> Project: Hadoop Common
> Issue Type: Improvement
> Components: build
> Affects Versions: 3.3.2
> Reporter: suman agrawal
> Priority: Major
>
> Hi Team,
>
> Hadoop version 3.3.1 which is compatible for our application have
> Vulnerebilities:
> Is there any plan to fix this
> CVE-2021-37404 hadoop versions < 3.3.2 Apache Hadoop potential heap buffer
> overflow in libhdfs.
> CVE-2020-10650 jackson < 2.9.10.4
> CVE-2021-33036 hadoop < 3.3.2
> CVE-2022-31159 aws xfer manager download < 1.12.262
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
