[
https://issues.apache.org/jira/browse/HADOOP-18333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17568044#comment-17568044
]
Steve Loughran commented on HADOOP-18333:
-----------------------------------------
i really want to get the rc0 asap and don't want to get trapped into eternal
jar updates, which is where we are right now
I want to get a low risk jar out to fix our own issues, and the more changes we
get in transitively, the more likely things will break and adoption will stall.
risk is low and apparently proxy related
https://nvd.nist.gov/vuln/detail/CVE-2022-2047
my view for all last minute jar changes should be "lets target the full
branch-3.3 release"
> hadoop-client-runtime impact by CVE-2022-2047 due to shaded jetty
> -----------------------------------------------------------------
>
> Key: HADOOP-18333
> URL: https://issues.apache.org/jira/browse/HADOOP-18333
> Project: Hadoop Common
> Issue Type: Improvement
> Affects Versions: 3.3.3
> Reporter: phoebe chen
> Assignee: Ashutosh Gupta
> Priority: Major
> Labels: pull-request-available
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> CVE-2022-2047 is recently found for Eclipse Jetty, and impacts 9.4.0 thru
> 9.4.46.
> In latest 3.3.3 of hadoop-client-runtime, it shaded 9.4.43.v20210629 version
> jetty which is impacted.
> In Trunk, Jetty is in version 9.4.44.v20210927, which is still impacted.
> Need to upgrade Jetty Version.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
