I've approved your new user account Shahnoor. Please file a jira, e.g.
"Update libthrift dependencies for CVEs". Thank you. -Aaron

On Mon, Jun 8, 2026 at 4:15 AM Alam, Shahnoor via security <
[email protected]> wrote:

> Hi Team,
>
> Could you please assist us with this?
>
> Regards,
> Shahnoor
>
> *From: *Fatima Ansari, Nuzhat <[email protected]>
> *Date: *Monday, 1 June 2026 at 3:33 PM
> *To: *[email protected] <[email protected]>
> *Cc: *Misra Parashar, Jyoti <[email protected]>; Shukla,
> Vidur <[email protected]>; George, Rejish <
> [email protected]>; Dussa, Hanisha <[email protected]>;
> Singh, Manoj <[email protected]>; Kumar Sharma, Rohit B. <
> [email protected]>; Alam, Shahnoor <
> [email protected]>
> *Subject: *RE: Inquiry regarding Jetty and Thrift dependency bumps in the
> Hadoop 3.5.x line
>
> Hello Hadoop Community,
>
>
>
> Following up on my previous message regarding the libthrift and jetty
> dependency updates for the Hadoop 3.5.x line, I provide the full list of
> specific CVE IDs being flagged against *libthrift 0.22.0* inside the
> hadoop-client-runtime-3.5.0.jar.
>
> For completeness and tracking against any upcoming JIRAs, the scanner is
> surfacing the following vulnerabilities for the bundled Thrift version:
>
>    - *CVE-2025-48431*
>    - *CVE-2026-41602*
>    - *CVE-2026-41603*
>    - *CVE-2026-41604*
>    - *CVE-2026-41605*
>    - *CVE-2026-41606*
>    - *CVE-2026-41607*
>    - *CVE-2026-43869*
>    - *CVE-2026-43870*
>
>
>
> As mentioned, we understand these were collectively addressed in the
> upstream * libthrift 0.23.0* release. We wanted to share the full list of
> IDs to ensure they are fully captured for the planning of the next
> maintenance release (Hadoop 3.5.1).
> Could you please share if there is an estimated timeline or target date
> for when the community is planning the *Hadoop 3.5.1* release?
>
>
>
> Thank you again for your assistance and time!
>
>
>
>
>
> Best regards,
> Nuzhat Ansari
>
>
>
>
>
> *From:* Fatima Ansari, Nuzhat
> *Sent:* Monday, June 1, 2026 1:15 PM
> *To:* [email protected]
> *Cc:* Misra Parashar, Jyoti <[email protected]>; Shukla,
> Vidur <[email protected]>; George, Rejish <
> [email protected]>; Dussa, Hanisha <[email protected]>;
> Singh, Manoj <[email protected]>; Kumar Sharma, Rohit B. <
> [email protected]>; Alam, Shahnoor <
> [email protected]>
> *Subject:* Inquiry regarding Jetty and Thrift dependency bumps in the
> Hadoop 3.5.x line
>
>
>
> Hello Hadoop Community,
>
>
>
> We are actively adopting the new *Hadoop 3.5.0* release line for our
> client runtimes. However, our enterprise security scanners are surfacing
> flags regarding older third-party versions shaded within the
> hadoop-client-runtime-3.5.0.jar:
>
>    - *Jetty 9.4.58.v20250814* is flagging *CVE-2026-5795* and
>    *CVE-2026-2332*.
>    - *Libthrift 0.22.0* is flagging *CVE-2026-43870*.
>
>
>
> Since the fixes for these CVEs (Jetty 9.4.61+ and Thrift 0.23.0) were
> released shortly after Hadoop 3.5.0 was finalized, we understand why they
> missed the cycle.
>
> Is there an active JIRA or an estimated timeline for a *Hadoop 3.5.1* 
> maintenance
> release that will bump these dependencies to clear these scanner flags?
>
> Thank you for your hard work on the 3.5.0 release!
>
>
>
>
>
> Best regards,
>
> Nuzhat Ansari
>
>
>
> ------------------------------
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security, AI-powered support
> capabilities, and assessment of internal compliance with Accenture policy.
> Your privacy is important to us. Accenture uses your personal data only in
> compliance with data protection laws. For further information on how
> Accenture processes your personal data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>

Reply via email to