[
https://issues.apache.org/jira/browse/HADOOP-19761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18048297#comment-18048297
]
ASF GitHub Bot commented on HADOOP-19761:
-----------------------------------------
cnauroth opened a new pull request, #8150:
URL: https://github.com/apache/hadoop/pull/8150
### Description of PR
After submission of #8146 , I started seeing builds fail with this
dependency convergence error:
```
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-enforcer-plugin:3.5.0:enforce (depcheck) on
project hadoop-yarn-applications-catalog-webapp:
[ERROR] Rule 0:
org.apache.maven.enforcer.rules.dependency.DependencyConvergence failed with
message:
[ERROR] Failed while enforcing releasability.
[ERROR]
[ERROR] Dependency convergence error for
org.eclipse.jetty:jetty-alpn-java-client:jar:9.4.58.v20250814 paths to
dependency are:
[ERROR]
+-org.apache.hadoop:hadoop-yarn-applications-catalog-webapp:war:3.5.0-SNAPSHOT
[ERROR]
+-org.eclipse.jetty.http2:http2-http-client-transport:jar:9.4.58.v20250814:compile
[ERROR]
+-org.eclipse.jetty:jetty-alpn-java-client:jar:9.4.58.v20250814:compile
[ERROR] and
[ERROR]
+-org.apache.hadoop:hadoop-yarn-applications-catalog-webapp:war:3.5.0-SNAPSHOT
[ERROR] +-org.apache.solr:solr-solrj:jar:8.11.2:compile
[ERROR]
+-org.eclipse.jetty:jetty-alpn-java-client:jar:9.4.44.v20210927:compile
[ERROR] -> [Help 1]
```
I think we additionally need to exclude the jetty-alpn-java-client
transitive dependency coming in through Solr.
### How was this patch tested?
```
mvn clean verify -DskipTests
```
Verified the build completed successfully with no dependency convergence
errors.
### For code changes:
- [X] Does the title or this PR starts with the corresponding JIRA issue id
(e.g. 'HADOOP-17799. Your PR title ...')?
- [ ] Object storage: have the integration tests been executed and the
endpoint declared according to the connector-specific documentation?
- [ ] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`,
`NOTICE-binary` files?
> Upgrade jetty and http2-common to 9.4.58.v20250814 due to CVE-2025-5115
> -----------------------------------------------------------------------
>
> Key: HADOOP-19761
> URL: https://issues.apache.org/jira/browse/HADOOP-19761
> Project: Hadoop Common
> Issue Type: Improvement
> Components: build, yarn
> Affects Versions: 3.5.0
> Reporter: fuchaohong
> Assignee: fuchaohong
> Priority: Minor
> Labels: pull-request-available
> Fix For: 3.5.0
>
>
> Upgrade *http2-common* to version *9.4.58.v20250814* to address
> {*}CVE-2025-5115{*}, and upgrade *Jetty* to the same version simultaneously.
> CVE announcement: https://www.eclipse.org/lists/jetty-users/msg10928.html
> For people worrying about this PR: it affects HTTP/2 *only*.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
