I'm having a problem using hadoop-client version 3.2.1 in my dependency tree. It has a vulnerable jar: org.apache.hadoop : hadoop-mapreduce-client-core : 3.2.1 The code for the vulnerability is: CVE-2017-3166, basically *if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file* The problem is that: if I'm updating for the 3.3.0 hadoop-client version the vulnerability remains and I wouldn't make a downgrade for the version 2.8.1 which is the next non-vulnerable version. Do you have any roadmap or any plan for this?
Thanks! Kind regards, Laszlo
