[jira] [Commented] (HADOOP-18393) Hadoop 3.3.2 has CVEs coming from dependencies
[ https://issues.apache.org/jira/browse/HADOOP-18393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17826935#comment-17826935 ] zhenye zhang commented on HADOOP-18393: --- [~zhangxiping] I found the PR for Hadoop 3.3.X. 8ca57fc9f567b37d82d286feb77d35e670fc635e > Hadoop 3.3.2 has CVEs coming from dependencies > -- > > Key: HADOOP-18393 > URL: https://issues.apache.org/jira/browse/HADOOP-18393 > Project: Hadoop Common > Issue Type: Improvement > Components: build >Affects Versions: 3.3.2 >Reporter: suman agrawal >Priority: Major > > Hi Team, > > Hadoop version 3.3.1 which is compatible for our application have > Vulnerebilities: > Is there any plan to fix this > CVE-2021-37404 hadoop versions < 3.3.2 Apache Hadoop potential heap buffer > overflow in libhdfs. > CVE-2020-10650 jackson < 2.9.10.4 > CVE-2021-33036 hadoop < 3.3.2 > CVE-2022-31159 aws xfer manager download < 1.12.262 -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-18393) Hadoop 3.3.2 has CVEs coming from dependencies
[ https://issues.apache.org/jira/browse/HADOOP-18393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17826928#comment-17826928 ] zhenye zhang commented on HADOOP-18393: --- [~zhangxiping] Thanks for your reply. Get it. > Hadoop 3.3.2 has CVEs coming from dependencies > -- > > Key: HADOOP-18393 > URL: https://issues.apache.org/jira/browse/HADOOP-18393 > Project: Hadoop Common > Issue Type: Improvement > Components: build >Affects Versions: 3.3.2 >Reporter: suman agrawal >Priority: Major > > Hi Team, > > Hadoop version 3.3.1 which is compatible for our application have > Vulnerebilities: > Is there any plan to fix this > CVE-2021-37404 hadoop versions < 3.3.2 Apache Hadoop potential heap buffer > overflow in libhdfs. > CVE-2020-10650 jackson < 2.9.10.4 > CVE-2021-33036 hadoop < 3.3.2 > CVE-2022-31159 aws xfer manager download < 1.12.262 -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-18393) Hadoop 3.3.2 has CVEs coming from dependencies
[ https://issues.apache.org/jira/browse/HADOOP-18393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17826926#comment-17826926 ] Xiping Zhang commented on HADOOP-18393: --- [~tyoushinya] There is no direct patch for Hadoop3.3.0, it needs to be adapted according to this CVE-2021-33036 9c7b8cf54ea88833d54fc71a9612c448dc0eb78d > Hadoop 3.3.2 has CVEs coming from dependencies > -- > > Key: HADOOP-18393 > URL: https://issues.apache.org/jira/browse/HADOOP-18393 > Project: Hadoop Common > Issue Type: Improvement > Components: build >Affects Versions: 3.3.2 >Reporter: suman agrawal >Priority: Major > > Hi Team, > > Hadoop version 3.3.1 which is compatible for our application have > Vulnerebilities: > Is there any plan to fix this > CVE-2021-37404 hadoop versions < 3.3.2 Apache Hadoop potential heap buffer > overflow in libhdfs. > CVE-2020-10650 jackson < 2.9.10.4 > CVE-2021-33036 hadoop < 3.3.2 > CVE-2022-31159 aws xfer manager download < 1.12.262 -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-18393) Hadoop 3.3.2 has CVEs coming from dependencies
[ https://issues.apache.org/jira/browse/HADOOP-18393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17826922#comment-17826922 ] zhenye zhang commented on HADOOP-18393: --- [~zhangxiping] Hi, Do you have resolved CVE-2021-33036 on your Hadoop version?I want to fix this vulnerability on Hadoop 3.3.0, but I cannot find any PR for this Hadoop version. > Hadoop 3.3.2 has CVEs coming from dependencies > -- > > Key: HADOOP-18393 > URL: https://issues.apache.org/jira/browse/HADOOP-18393 > Project: Hadoop Common > Issue Type: Improvement > Components: build >Affects Versions: 3.3.2 >Reporter: suman agrawal >Priority: Major > > Hi Team, > > Hadoop version 3.3.1 which is compatible for our application have > Vulnerebilities: > Is there any plan to fix this > CVE-2021-37404 hadoop versions < 3.3.2 Apache Hadoop potential heap buffer > overflow in libhdfs. > CVE-2020-10650 jackson < 2.9.10.4 > CVE-2021-33036 hadoop < 3.3.2 > CVE-2022-31159 aws xfer manager download < 1.12.262 -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-18393) Hadoop 3.3.2 has CVEs coming from dependencies
[ https://issues.apache.org/jira/browse/HADOOP-18393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17754045#comment-17754045 ] Xiping Zhang commented on HADOOP-18393: --- [~ste...@apache.org] That's okay. Thank you for your reply. > Hadoop 3.3.2 has CVEs coming from dependencies > -- > > Key: HADOOP-18393 > URL: https://issues.apache.org/jira/browse/HADOOP-18393 > Project: Hadoop Common > Issue Type: Improvement > Components: build >Affects Versions: 3.3.2 >Reporter: suman agrawal >Priority: Major > > Hi Team, > > Hadoop version 3.3.1 which is compatible for our application have > Vulnerebilities: > Is there any plan to fix this > CVE-2021-37404 hadoop versions < 3.3.2 Apache Hadoop potential heap buffer > overflow in libhdfs. > CVE-2020-10650 jackson < 2.9.10.4 > CVE-2021-33036 hadoop < 3.3.2 > CVE-2022-31159 aws xfer manager download < 1.12.262 -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-18393) Hadoop 3.3.2 has CVEs coming from dependencies
[ https://issues.apache.org/jira/browse/HADOOP-18393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17754036#comment-17754036 ] Steve Loughran commented on HADOOP-18393: - don't recall, sorry. > Hadoop 3.3.2 has CVEs coming from dependencies > -- > > Key: HADOOP-18393 > URL: https://issues.apache.org/jira/browse/HADOOP-18393 > Project: Hadoop Common > Issue Type: Improvement > Components: build >Affects Versions: 3.3.2 >Reporter: suman agrawal >Priority: Major > > Hi Team, > > Hadoop version 3.3.1 which is compatible for our application have > Vulnerebilities: > Is there any plan to fix this > CVE-2021-37404 hadoop versions < 3.3.2 Apache Hadoop potential heap buffer > overflow in libhdfs. > CVE-2020-10650 jackson < 2.9.10.4 > CVE-2021-33036 hadoop < 3.3.2 > CVE-2022-31159 aws xfer manager download < 1.12.262 -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-18393) Hadoop 3.3.2 has CVEs coming from dependencies
[ https://issues.apache.org/jira/browse/HADOOP-18393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17753965#comment-17753965 ] Xiping Zhang commented on HADOOP-18393: --- [~ste...@apache.org] Excuse me, for CVE-2021-33036 , do you know which piece of code caused this vulnerability? I see more of this commit modification, the adaptation process needs to add additional code, just want to fix very little logic to solve this vulnerability. > Hadoop 3.3.2 has CVEs coming from dependencies > -- > > Key: HADOOP-18393 > URL: https://issues.apache.org/jira/browse/HADOOP-18393 > Project: Hadoop Common > Issue Type: Improvement > Components: build >Affects Versions: 3.3.2 >Reporter: suman agrawal >Priority: Major > > Hi Team, > > Hadoop version 3.3.1 which is compatible for our application have > Vulnerebilities: > Is there any plan to fix this > CVE-2021-37404 hadoop versions < 3.3.2 Apache Hadoop potential heap buffer > overflow in libhdfs. > CVE-2020-10650 jackson < 2.9.10.4 > CVE-2021-33036 hadoop < 3.3.2 > CVE-2022-31159 aws xfer manager download < 1.12.262 -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-18393) Hadoop 3.3.2 has CVEs coming from dependencies
[ https://issues.apache.org/jira/browse/HADOOP-18393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17747729#comment-17747729 ] Xiping Zhang commented on HADOOP-18393: --- [~ste...@apache.org] Ok, thank you very much. > Hadoop 3.3.2 has CVEs coming from dependencies > -- > > Key: HADOOP-18393 > URL: https://issues.apache.org/jira/browse/HADOOP-18393 > Project: Hadoop Common > Issue Type: Improvement > Components: build >Affects Versions: 3.3.2 >Reporter: suman agrawal >Priority: Major > > Hi Team, > > Hadoop version 3.3.1 which is compatible for our application have > Vulnerebilities: > Is there any plan to fix this > CVE-2021-37404 hadoop versions < 3.3.2 Apache Hadoop potential heap buffer > overflow in libhdfs. > CVE-2020-10650 jackson < 2.9.10.4 > CVE-2021-33036 hadoop < 3.3.2 > CVE-2022-31159 aws xfer manager download < 1.12.262 -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-18393) Hadoop 3.3.2 has CVEs coming from dependencies
[ https://issues.apache.org/jira/browse/HADOOP-18393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17747519#comment-17747519 ] Steve Loughran commented on HADOOP-18393: - no jira's for those, they are in the category of "patches which went in without them". here are the commits on trunk you need to pick up. CVE-2021-37404 Apache Hadoop potential heap buffer overflow in libhdfs commit # 4972e7a246f4aab665fd04ce72d1848bc5da9d4e CVE-2021-33036 9c7b8cf54ea88833d54fc71a9612c448dc0eb78d yarn container executor only CVE-2020-9492 81d8a887b04 webhdfs only > Hadoop 3.3.2 has CVEs coming from dependencies > -- > > Key: HADOOP-18393 > URL: https://issues.apache.org/jira/browse/HADOOP-18393 > Project: Hadoop Common > Issue Type: Improvement > Components: build >Affects Versions: 3.3.2 >Reporter: suman agrawal >Priority: Major > > Hi Team, > > Hadoop version 3.3.1 which is compatible for our application have > Vulnerebilities: > Is there any plan to fix this > CVE-2021-37404 hadoop versions < 3.3.2 Apache Hadoop potential heap buffer > overflow in libhdfs. > CVE-2020-10650 jackson < 2.9.10.4 > CVE-2021-33036 hadoop < 3.3.2 > CVE-2022-31159 aws xfer manager download < 1.12.262 -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-18393) Hadoop 3.3.2 has CVEs coming from dependencies
[ https://issues.apache.org/jira/browse/HADOOP-18393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17747348#comment-17747348 ] Xiping Zhang commented on HADOOP-18393: --- [~ste...@apache.org] [~ayushtkn] Hi ,I want to fix CVE-2021-37404,CVE-2021-33036,CVE-2020-9492 based on the version 2.9.2 I am currently using. I didn't find the corresponding patch ,How should I modify it? > Hadoop 3.3.2 has CVEs coming from dependencies > -- > > Key: HADOOP-18393 > URL: https://issues.apache.org/jira/browse/HADOOP-18393 > Project: Hadoop Common > Issue Type: Improvement > Components: build >Affects Versions: 3.3.2 >Reporter: suman agrawal >Priority: Major > > Hi Team, > > Hadoop version 3.3.1 which is compatible for our application have > Vulnerebilities: > Is there any plan to fix this > CVE-2021-37404 hadoop versions < 3.3.2 Apache Hadoop potential heap buffer > overflow in libhdfs. > CVE-2020-10650 jackson < 2.9.10.4 > CVE-2021-33036 hadoop < 3.3.2 > CVE-2022-31159 aws xfer manager download < 1.12.262 -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
