[
https://issues.apache.org/jira/browse/HADOOP-19866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18074841#comment-18074841
]
ASF GitHub Bot commented on HADOOP-19866:
-----------------------------------------
steveloughran commented on PR #8443:
URL: https://github.com/apache/hadoop/pull/8443#issuecomment-4280902228
test failure is
[TestYarnNativeServices.testCreateServiceWithPlacementPolicy](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8443/1/testReport/org.apache.hadoop.yarn.service/TestYarnNativeServices/testCreateServiceWithPlacementPolicy/)
yarn service not listening. assuming a flaky test. if there was a major
incompatiblity from bouncycastle, it'd be more widespread.
> upgrade bouncycastle to 1.84 due to multiple CVEs
> -------------------------------------------------
>
> Key: HADOOP-19866
> URL: https://issues.apache.org/jira/browse/HADOOP-19866
> Project: Hadoop Common
> Issue Type: Task
> Reporter: PJ Fanning
> Priority: Major
> Labels: pull-request-available
>
> [https://www.bouncycastle.org/download/bouncy-castle-java/#release-notes]
> * CVE-2025-14813 - GOSTCTR implementation unable to process more than 255
> blocks correctly.
> * CVE-2026-0636 - LDAP Injection Vulnerability in LDAPStoreHelper.java.
> * CVE-2026-3505 - Unbounded PGP AEAD chunk size leads to pre-auth resource
> exhaustion.
> * CVE-2026-5588 - PKIX draft CompositeVerifier accepts empty signature
> sequence as valid.
> * CVE-2026-5598 - Non-constant time comparisons risk private key leakage in
> FrodoKEM.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
