[ 
https://issues.apache.org/jira/browse/HADOOP-19910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18092733#comment-18092733
 ] 

Steve Loughran commented on HADOOP-19910:
-----------------------------------------

Nothing above 9.4.58 in the open source repositories: 
https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server/9.4.58.v20250814

if you have a private copy of the artifacts, you can build your own version of 
that hadoop-client lib and push it out. Setting HeroDevs as the first maven 
repo to check should be enough

Nobody can do an asf release with these artifacts, as the licensing doesn't 
hold any more. 

closing as a wontfix as it can't be done

> Upgrade Jetty from 9.4.58 to 9.4.60+ to fix CVE-2026-2332 (HTTP Request 
> Smuggling)
> ----------------------------------------------------------------------------------
>
>                 Key: HADOOP-19910
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19910
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: hadoop-common
>    Affects Versions: 3.5.0
>            Reporter: Hemanath
>            Priority: Major
>             Fix For: 3.5.0
>
>
> When we scan our Docker images that has pyspark and 
> hadoop-client-runtime-3.5.0.jar using Trivy Security scanner, a vulnerability 
> (CVE-2026-2332) is being flagged for library org.eclipse.jetty:jetty-http 
> 9.4.58.v20250814 with high severity. hadoop-client-runtime-3.5.0.jar is using 
> this version. The trivy report is shown below:
> |*Library*|*Vulnerability*|*Severity*|*Status*|*Installed Version*|*Fixed 
> Version*|
> |org.eclipse.jetty:jetty-http 
> (hadoop-client-runtime-3.5.0.jar)|CVE-2026-2332|HIGH|fixed|9.4.58.v20250814|9.4.60,
>  10.0.28, 11.0.28, 12.0.33, 12.1.7|
> We are usingĀ  pyspark in our application. Hadoop-client-runtime is installed 
> due to the dependency pyspark has on hadoop-client-runtime.
> Could you please upgrade jetty to any of the fixed version.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to