[
https://issues.apache.org/jira/browse/HADOOP-19915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18090713#comment-18090713
]
Steve Loughran commented on HADOOP-19915:
-----------------------------------------
[~shahnoor] i'd recommend you do a local release build and look at the SBOM
generated to see what you will get; this is very much community work.
as for release timelines, get on the developer channel and start discussing
what is needed to get it out the door with all the updates in. As well as the
update PRs, we need as much pre-release testing as we can get, especially in
different environments. This is where your helps invaluable.
simply listing cves found by your scanner isn't going to work, as it is pushing
the homework of identifying which transient dependency has the cve onto other
people. sorry
> Update libthrift & jetty dependencies for CVEs
> ----------------------------------------------
>
> Key: HADOOP-19915
> URL: https://issues.apache.org/jira/browse/HADOOP-19915
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Shahnoor Alam
> Priority: Blocker
>
> Hello Hadoop Community,
> We are actively adopting the new Hadoop 3.5.0 release line for our client
> runtimes. However, our enterprise security scanners are surfacing several
> flags regarding older third-party versions shaded within
> {{{}hadoop-client-runtime-3.5.0.jar{}}}.
> For completeness and to help track these against any upcoming JIRAs, here is
> the full list of specific vulnerabilities being flagged:
> * *Jetty 9.4.58.v20250814* (Addressed upstream in Jetty 9.4.61+)
> ** CVE-2026-5795
> ** CVE-2026-2332
> * *Libthrift 0.22.0* (Addressed upstream in Libthrift 0.23.0)
> ** CVE-2025-48431
> ** CVE-2026-41602
> ** CVE-2026-41603
> ** CVE-2026-41604
> ** CVE-2026-41605
> ** CVE-2026-41606
> ** CVE-2026-41607
> ** CVE-2026-43869
> ** CVE-2026-43870
> Since the upstream fixes for these CVEs were released shortly after Hadoop
> 3.5.0 was finalized, we understand why they missed the cycle. We wanted to
> share this comprehensive list of IDs to ensure they are fully captured for
> the planning of the next maintenance release.
> Could you please share if there is an active JIRA tracking these dependency
> bumps, or an estimated timeline/target date for the Hadoop 3.5.1 maintenance
> release?
> Thank you again for your hard work on the 3.5.0 release, and we appreciate
> your time and assistance!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
