[
https://issues.apache.org/jira/browse/HADOOP-19915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran updated HADOOP-19915:
------------------------------------
Priority: Major (was: Blocker)
> Update libthrift & jetty dependencies for CVEs
> ----------------------------------------------
>
> Key: HADOOP-19915
> URL: https://issues.apache.org/jira/browse/HADOOP-19915
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Shahnoor Alam
> Priority: Major
>
> Hello Hadoop Community,
> We are actively adopting the new Hadoop 3.5.0 release line for our client
> runtimes. However, our enterprise security scanners are surfacing several
> flags regarding older third-party versions shaded within
> {{{}hadoop-client-runtime-3.5.0.jar{}}}.
> For completeness and to help track these against any upcoming JIRAs, here is
> the full list of specific vulnerabilities being flagged:
> * *Jetty 9.4.58.v20250814* (Addressed upstream in Jetty 9.4.61+)
> ** CVE-2026-5795
> ** CVE-2026-2332
> * *Libthrift 0.22.0* (Addressed upstream in Libthrift 0.23.0)
> ** CVE-2025-48431
> ** CVE-2026-41602
> ** CVE-2026-41603
> ** CVE-2026-41604
> ** CVE-2026-41605
> ** CVE-2026-41606
> ** CVE-2026-41607
> ** CVE-2026-43869
> ** CVE-2026-43870
> Since the upstream fixes for these CVEs were released shortly after Hadoop
> 3.5.0 was finalized, we understand why they missed the cycle. We wanted to
> share this comprehensive list of IDs to ensure they are fully captured for
> the planning of the next maintenance release.
> Could you please share if there is an active JIRA tracking these dependency
> bumps, or an estimated timeline/target date for the Hadoop 3.5.1 maintenance
> release?
> Thank you again for your hard work on the 3.5.0 release, and we appreciate
> your time and assistance!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
