[
https://issues.apache.org/jira/browse/APEXCORE-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16477439#comment-16477439
]
ASF GitHub Bot commented on APEXCORE-815:
-----------------------------------------
tweise closed pull request #601: APEXCORE-815 Whitelist CVE-2016-6811
URL: https://github.com/apache/apex-core/pull/601
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/dependency-check-whitelist.xml b/dependency-check-whitelist.xml
index 700c986860..a8c4fbcbf1 100644
--- a/dependency-check-whitelist.xml
+++ b/dependency-check-whitelist.xml
@@ -20,4 +20,7 @@
-->
<suppressions
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd";>
+ <suppress>
+ <cve>CVE-2016-6811</cve>
+ </suppress>
</suppressions>
diff --git a/docs/application_development.md b/docs/application_development.md
index 6bfa3fdd63..f3398e2a3b 100644
--- a/docs/application_development.md
+++ b/docs/application_development.md
@@ -695,7 +695,8 @@ submitted to the Hadoop cluster and executes as a
multi-processapplication on
Before you start deploying, testing and troubleshooting your
application on a cluster, you should ensure that Hadoop (version 2.6.0
or later) is properly installed and
-you have basic skills for working with it.
+you have basic skills for working with it. Due to a known vulnerability in
Apache Yarn, Apex community
+recommends Hadoop version 2.7.4 or later.
------------------------------------------------------------------------
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Whitelist CVE-2016-6811
> -----------------------
>
> Key: APEXCORE-815
> URL: https://issues.apache.org/jira/browse/APEXCORE-815
> Project: Apache Apex Core
> Issue Type: Task
> Reporter: Vlad Rozov
> Assignee: Vlad Rozov
> Priority: Major
> Fix For: 4.0.0
>
>
> There is an old vulnerability in Yarn version 2.7.3 and below (please see
> [CVE-2016-6811|https://www.cvedetails.com/cve/CVE-2016-6811]) that was
> recently marked as severity 9 and now it breaks Apex build. Based on my
> analysis, the vulnerability affects Yarn cluster itself (see
> [YARN-5121|https://issues.apache.org/jira/browse/YARN-5121]).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
