[
https://issues.apache.org/jira/browse/HADOOP-19813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18058174#comment-18058174
]
Steve Loughran commented on HADOOP-19813:
-----------------------------------------
netty. oh dear.
It takes about a month to get an AWS SDK update in due to the little detail
that as the AWS SDK team don't test with third party stores, we may well be the
first to point it at an external store.
There's a lot of manual work to qualify a release, even if it does work. When
you start having to debug the failures, triage then turn off needless warnings
etc I estimate 4 weeks for an upgrade
https://github.com/steveloughran/engineering-proposals/blob/trunk/qualifying-an-SDK-upgrade.md
* aws bundle netty is only for the aws client library
* this cve is netty server side
I don't see any exposure at all, so not a reason to abort the ongoing
release(s).
As noted, it takes about a month. if you were to get involved in that process,
it could help others and bring forward the date....
> CVE-2025-67735 Bump AWS SDK bundle for netty CVE
> ------------------------------------------------
>
> Key: HADOOP-19813
> URL: https://issues.apache.org/jira/browse/HADOOP-19813
> Project: Hadoop Common
> Issue Type: Task
> Components: build, fs/s3, security
> Affects Versions: 3.5.0, 3.4.3
> Reporter: Isaac
> Priority: Minor
>
> Hi all,
> The AWS SDK being used has a netty version affected by CVE-2025-67735
> It should be updated to, at least v2.40.11, which uses a fixed version of
> netty
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
