[
https://issues.apache.org/jira/browse/HDFS-17610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17883198#comment-17883198
]
PJ Fanning commented on HDFS-17610:
-----------------------------------
Apache Hadoop is a volunteer project. [~palsai] would you have time to upgrade
this yourself and submit a PR on GitHub?
> Upgrade Bootstrap version used in HDFS UI to fix CVE
> ----------------------------------------------------
>
> Key: HDFS-17610
> URL: https://issues.apache.org/jira/browse/HDFS-17610
> Project: Hadoop HDFS
> Issue Type: Improvement
> Reporter: Palakur Eshwitha Sai
> Priority: Major
>
> The current versions of bootstrap has multiple medium severity CVEs reported
> till date and needs to be updated to the latest versions with no reported
> CVEs.
> [CVE-2024-6484|https://nvd.nist.gov/vuln/detail/CVE-2024-6484]
> [CVE-2024-6531|https://nvd.nist.gov/vuln/detail/CVE-2024-6531]
> [CVE-2024-6485|https://nvd.nist.gov/vuln/detail/CVE-2024-6485]
> For [CVE-2024-6484|https://nvd.nist.gov/vuln/detail/CVE-2024-6484], our tool
> states that:
> This vulnerability affects all 4.x and 5.x versions and not only those
> leading up to and including {{{}3.4.1{}}}.
> For [CVE-2024-6531|https://nvd.nist.gov/vuln/detail/CVE-2024-6531], our tool
> states that:
> This vulnerability was introduced in version {{{}2.0.0{}}}, not {{4.0.0}} as
> the advisory states. Additionally, this vulnerability affects all 5.x
> versions and not only the versions leading up to and including {{{}4.6.2{}}}.
> Therefore, alternative upgrade path needs to be found for the same as there
> is no non-vulnerable upgrade version for this component/package at the moment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
