Hello Team, Requesting to please reply over the query, we are stuck in our development because of this.
Regards Sonal Sharma From: Sonal Sharma A Sent: Monday, July 1, 2024 5:49 PM To: core-u...@hadoop.apache.org Subject: RE: Queries wrt HDFS 3.4.0 Hello Team, Please find detailed query as below: We are planning to upgrade to HDFS 3.4.0 (client side) which fixes majority of the CVEs listed by our scan reports. However we have three CVEs on transitive 3PPs included in hadoop-common which are not fixed in HDFS v3.4.0. Our query is that if we update the individual transitive 3PPs to the versions in which CVEs are fixed, then Is HDFS client 3.4.0 compatible with these versions? For example, Is HDFS client 3.4.0 compatible with commons-compress-1.26.0 and apache-avro-1.11.3? CVE Id Current Version - HDFS 3.3.6 Updated version - HDFS3.4.0 CVE Fixed in 3pp Version Severity CVE-2024-25710 commons-compress-1.21 commons-compress-1.24.0 commons-compress-1.26.0 High CVE-2024-26308 commons-compress-1.21 commons-compress-1.24.0 commons-compress-1.26.0 High CVE-2023-39410 avro:1.7.7 avro:1.9.2 apache-avro version 1.11.3 High Regards Sonal Sharma From: Sonal Sharma A Sent: Monday, July 1, 2024 5:48 PM To: core-u...@hadoop.apache.org<mailto:core-u...@hadoop.apache.org> Subject: Queries wrt HDFS 3.4.0 Hello Team, We are using HDFS 3.3.6 and planning to upgrade to HDFS 3.4.0. We have 2 queries wrt this, please help here: 1. The commons-compress version coming with HDFS 3.4.0 is 1.24.0, Will HDFS support if we upgrade commons-compress version to 1.26.0? 2. Likewise, apache-avro version coming with HDFS 3.4.0 is 1.9.2, Will HDFS support if we upgrade apache-avro version to 1.11.3? Regards Sonal Sharma
