[
https://issues.apache.org/jira/browse/HDFS-16860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran updated HDFS-16860:
----------------------------------
Description:
Upgrade moment.min.js to 2.29.4 to resolve
https://nvd.nist.gov/vuln/detail/CVE-2022-31129
"Users may notice a noticeable slowdown is observed with inputs above 10k
characters. Users who pass user-provided strings without sanity length checks
to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched
in 2.29.4"
this only appears to affect the UI, not the yarn services, so it is a self-harm
DoS rather than anything important. "if you pass in big strings the ui slows
down"
was:Upgrade moment.min.js to 2.29.4 to resolve
https://nvd.nist.gov/vuln/detail/CVE-2022-31129
> Upgrade moment.min.js to 2.29.4
> -------------------------------
>
> Key: HDFS-16860
> URL: https://issues.apache.org/jira/browse/HDFS-16860
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: build, ui
> Affects Versions: 3.4.0
> Reporter: D M Murali Krishna Reddy
> Assignee: D M Murali Krishna Reddy
> Priority: Major
> Labels: transitive-cve
>
> Upgrade moment.min.js to 2.29.4 to resolve
> https://nvd.nist.gov/vuln/detail/CVE-2022-31129
> "Users may notice a noticeable slowdown is observed with inputs above 10k
> characters. Users who pass user-provided strings without sanity length checks
> to moment constructor are vulnerable to (Re)DoS attacks. The problem is
> patched in 2.29.4"
> this only appears to affect the UI, not the yarn services, so it is a
> self-harm DoS rather than anything important. "if you pass in big strings the
> ui slows down"
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
