[
https://issues.apache.org/jira/browse/TEZ-4353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17446369#comment-17446369
]
László Bodor edited comment on TEZ-4353 at 11/19/21, 8:54 AM:
--------------------------------------------------------------
thanks for the patch [~dmmkr]!
There is a hadoop 3.3.1 upgrade in progress (TEZ-4311), after which we're
trying to stay synchronized with Hadoop's dependencies. As far as I can see,
there is commons-io 2.8.0 there on hadoop/branch-3.3.1, maybe we can jump to
that version now if it doesn't cause any issues at the moment, could you please
check?
was (Author: abstractdog):
thanks for the patch [~dmmkr]!
There is a hadoop 3.3.1 upgrade in progress (TEZ-4311), after which we're
trying to stay synchronized with Hadoop's dependencies. As far as I can see,
there is commons-io 2.8.0 there on branch-3.3.1, maybe we can jump to that
version now if it doesn't cause any issues at the moment, could you please
check?
> Update commons-io to 2.7
> ------------------------
>
> Key: TEZ-4353
> URL: https://issues.apache.org/jira/browse/TEZ-4353
> Project: Apache Tez
> Issue Type: Improvement
> Affects Versions: 0.10.0
> Reporter: D M Murali Krishna Reddy
> Assignee: D M Murali Krishna Reddy
> Priority: Major
> Attachments: TEZ-4353.001.patch
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> [https://nvd.nist.gov/vuln/detail/CVE-2021-29425]
> In Apache Commons IO before 2.7, When invoking the method
> FileNameUtils.normalize with an improper input string, like "//../foo", or
> "\\..\foo", the result would be the same value, thus possibly providing
> access to files in the parent directory, but not further above (thus
> "limited" path traversal), if the calling code would use the result to
> construct a path value.
> It is better to upgrade from 2.4 to 2.7 to fix the vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
