[
https://issues.apache.org/jira/browse/TEZ-4353?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
László Bodor updated TEZ-4353:
------------------------------
Fix Version/s: 0.10.2
> Update commons-io to 2.8.0
> --------------------------
>
> Key: TEZ-4353
> URL: https://issues.apache.org/jira/browse/TEZ-4353
> Project: Apache Tez
> Issue Type: Improvement
> Affects Versions: 0.10.0
> Reporter: D M Murali Krishna Reddy
> Assignee: D M Murali Krishna Reddy
> Priority: Major
> Fix For: 0.10.2
>
> Attachments: TEZ-4353.001.patch
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> [https://nvd.nist.gov/vuln/detail/CVE-2021-29425]
> In Apache Commons IO before 2.7, When invoking the method
> FileNameUtils.normalize with an improper input string, like "//../foo", or
> "\\..\foo", the result would be the same value, thus possibly providing
> access to files in the parent directory, but not further above (thus
> "limited" path traversal), if the calling code would use the result to
> construct a path value.
> It is better to upgrade from 2.4 to 2.7 to fix the vulnerability.
>
> As we are planning to be in sync with the hadoop dependencies version, it is
> better to upgrade to 2.8.0 as support to hadoop-3.3 is in progress(TEZ-4311)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
