[
https://issues.apache.org/jira/browse/HADOOP-18832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17751209#comment-17751209
]
ASF GitHub Bot commented on HADOOP-18832:
-----------------------------------------
virajjasani commented on PR #5908:
URL: https://github.com/apache/hadoop/pull/5908#issuecomment-1666112780
> [ ] run the CLI tests on a full build
done
> [ ] looked in all the logs of the test runs for new messages
no surprises so far, scanned logs for many of the long running scale tests
> [ ] reviewed the dependencies of the bundle to see if something else is
now referenced which we need to exclude?
this was pending until now, we are good w.r.t dependencies from the bundle,
no need to exclude anything other than `io.netty:*` that is already done
```
com.amazonaws:aws-java-sdk-bundle:jar:1.12.499
\- com.amazonaws:aws-java-sdk:jar:1.12.499:compile
+- com.amazonaws:aws-java-sdk-appfabric:jar:1.12.499:compile
| \- com.amazonaws:jmespath-java:jar:1.12.499:compile
+- com.amazonaws:aws-java-sdk-verifiedpermissions:jar:1.12.499:compile
+- com.amazonaws:aws-java-sdk-codegurusecurity:jar:1.12.499:compile
...
...
...
+- com.amazonaws:aws-java-sdk-iotjobsdataplane:jar:1.12.499:compile
+- com.amazonaws:aws-java-sdk-sagemakerruntime:jar:1.12.499:compile
+- com.amazonaws:aws-java-sdk-kinesisvideo:jar:1.12.499:compile
| +- io.netty:netty-codec-http:jar:4.1.94.Final:compile
| | +- io.netty:netty-common:jar:4.1.94.Final:compile
| | +- io.netty:netty-buffer:jar:4.1.94.Final:compile
| | +- io.netty:netty-transport:jar:4.1.94.Final:compile
| | \- io.netty:netty-codec:jar:4.1.94.Final:compile
| \- io.netty:netty-handler:jar:4.1.94.Final:compile
| +- io.netty:netty-resolver:jar:4.1.94.Final:compile
| \-
io.netty:netty-transport-native-unix-common:jar:4.1.94.Final:compile
+- com.amazonaws:aws-java-sdk-appsync:jar:1.12.499:compile
+- com.amazonaws:aws-java-sdk-guardduty:jar:1.12.499:compile
...
...
...
+- com.amazonaws:aws-java-sdk-workdocs:jar:1.12.499:compile
+- com.amazonaws:aws-java-sdk-core:jar:1.12.499:compile
| +- commons-logging:commons-logging:jar:1.1.3:compile
| +- commons-codec:commons-codec:jar:1.15:compile
| +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
| | \- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
| +- software.amazon.ion:ion-java:jar:1.0.2:compile
| +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.7.1:compile
| | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.7:compile
| | \- com.fasterxml.jackson.core:jackson-core:jar:2.12.7:compile
| +-
com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.12.6:compile
| \- joda-time:joda-time:jar:2.8.1:compile
+- com.amazonaws:aws-java-sdk-models:jar:1.12.499:compile
\- com.amazonaws:aws-java-sdk-swf-libraries:jar:1.11.22:compile
```
> Upgrade aws-java-sdk to 1.12.499+
> ---------------------------------
>
> Key: HADOOP-18832
> URL: https://issues.apache.org/jira/browse/HADOOP-18832
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Reporter: Viraj Jasani
> Assignee: Viraj Jasani
> Priority: Major
> Labels: pull-request-available
>
> aws sdk versions < 1.12.499 uses a vulnerable version of netty and hence
> showing up in security CVE scans (CVE-2023-34462). The safe version for netty
> is 4.1.94.Final and this is used by aws-java-sdk:1.12.499+
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
