[jira] [Assigned] (HADOOP-19915) Update libthrift & jetty dependencies for CVEs

Mon, 22 Jun 2026 12:53:09 -0700 


     [ 
https://issues.apache.org/jira/browse/HADOOP-19915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Steve Loughran reassigned HADOOP-19915:
---------------------------------------

    Assignee: Shahnoor Alam

> Update libthrift & jetty dependencies for CVEs
> ----------------------------------------------
>
>                 Key: HADOOP-19915
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19915
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: build, security
>    Affects Versions: 3.5.1
>            Reporter: Shahnoor Alam
>            Assignee: Shahnoor Alam
>            Priority: Major
>
> Hello Hadoop Community,
> We are actively adopting the new Hadoop 3.5.0 release line for our client 
> runtimes. However, our enterprise security scanners are surfacing several 
> flags regarding older third-party versions shaded within 
> {{{}hadoop-client-runtime-3.5.0.jar{}}}.
> For completeness and to help track these against any upcoming JIRAs, here is 
> the full list of specific vulnerabilities being flagged:
>  * *Jetty 9.4.58.v20250814* (Addressed upstream in Jetty 9.4.61+)
>  ** CVE-2026-5795
>  ** CVE-2026-2332
>  * *Libthrift 0.22.0* (Addressed upstream in Libthrift 0.23.0)
>  ** CVE-2025-48431
>  ** CVE-2026-41602
>  ** CVE-2026-41603
>  ** CVE-2026-41604
>  ** CVE-2026-41605
>  ** CVE-2026-41606
>  ** CVE-2026-41607
>  ** CVE-2026-43869
>  ** CVE-2026-43870
> Since the upstream fixes for these CVEs were released shortly after Hadoop 
> 3.5.0 was finalized, we understand why they missed the cycle. We wanted to 
> share this comprehensive list of IDs to ensure they are fully captured for 
> the planning of the next maintenance release.
> Could you please share if there is an active JIRA tracking these dependency 
> bumps, or an estimated timeline/target date for the Hadoop 3.5.1 maintenance 
> release?
> Thank you again for your hard work on the 3.5.0 release, and we appreciate 
> your time and assistance!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to