[
https://issues.apache.org/jira/browse/HADOOP-19764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18048732#comment-18048732
]
ASF GitHub Bot commented on HADOOP-19764:
-----------------------------------------
steveloughran commented on PR #8158:
URL: https://github.com/apache/hadoop/pull/8158#issuecomment-3705304469
This updates the aws sdk. Is that needed? if so, -1 to the patch as is.
Upgrading an aws sdk is a nightmare which usually takes 4+ weeks, automated
and manual regression testing with multiple s3 endpoints (s3, s3 express, third
party) and as many options in the test matrix as possible (vpce, fips,
encryption), then deciding how to react to the regressions which surface. Which
do surface, almost always. SDK upgrades cost me about 8 weeks last year. No
rush to repeat
https://github.com/steveloughran/engineering-proposals/blob/trunk/qualifying-an-SDK-upgrade.md
> upgrade amazon-s3-encryption-client-java to 4.0.0+ due to Invisible
> Salamanders (CVE-2025-14763)
> ------------------------------------------------------------------------------------------------
>
> Key: HADOOP-19764
> URL: https://issues.apache.org/jira/browse/HADOOP-19764
> Project: Hadoop Common
> Issue Type: Task
> Reporter: PJ Fanning
> Priority: Major
> Labels: pull-request-available
>
> https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L214
> https://github.com/advisories/GHSA-x44p-gvrj-pj2r
> Note: this CVE only becomes possible When the encrypted data key (EDK) is
> stored in an "Instruction File" instead of S3's metadata record *and* the
> attacker has write access to the bucket.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
