[
https://issues.apache.org/jira/browse/HADOOP-19866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18074845#comment-18074845
]
ASF GitHub Bot commented on HADOOP-19866:
-----------------------------------------
steveloughran commented on PR #8443:
URL: https://github.com/apache/hadoop/pull/8443#issuecomment-4280956517
thanks.
Does it backport (i.e. is it java 8 compatible?). If so, let's do that.
That's a lot of CVEs...possibly a side effect of the uptick in AI-assist CVE
discovery.
We have to view every dependency as a CVE subscription, and bring those
versions up to date.
The yarn NPM stuff is something that someone needs to maintain, and nobody
does. What if we just treat dependabot as the submitter and don't rely on any
human submission. Instead just create a matching Hadoop/yarn/.. jira, change
the title and merge?
> upgrade bouncycastle to 1.84 due to multiple CVEs
> -------------------------------------------------
>
> Key: HADOOP-19866
> URL: https://issues.apache.org/jira/browse/HADOOP-19866
> Project: Hadoop Common
> Issue Type: Task
> Reporter: PJ Fanning
> Priority: Major
> Labels: pull-request-available
>
> [https://www.bouncycastle.org/download/bouncy-castle-java/#release-notes]
> * CVE-2025-14813 - GOSTCTR implementation unable to process more than 255
> blocks correctly.
> * CVE-2026-0636 - LDAP Injection Vulnerability in LDAPStoreHelper.java.
> * CVE-2026-3505 - Unbounded PGP AEAD chunk size leads to pre-auth resource
> exhaustion.
> * CVE-2026-5588 - PKIX draft CompositeVerifier accepts empty signature
> sequence as valid.
> * CVE-2026-5598 - Non-constant time comparisons risk private key leakage in
> FrodoKEM.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
