[ https://issues.apache.org/jira/browse/APEXCORE-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16477439#comment-16477439 ]
ASF GitHub Bot commented on APEXCORE-815: ----------------------------------------- tweise closed pull request #601: APEXCORE-815 Whitelist CVE-2016-6811 URL: https://github.com/apache/apex-core/pull/601 This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/dependency-check-whitelist.xml b/dependency-check-whitelist.xml index 700c986860..a8c4fbcbf1 100644 --- a/dependency-check-whitelist.xml +++ b/dependency-check-whitelist.xml @@ -20,4 +20,7 @@ --> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd"> + <suppress> + <cve>CVE-2016-6811</cve> + </suppress> </suppressions> diff --git a/docs/application_development.md b/docs/application_development.md index 6bfa3fdd63..f3398e2a3b 100644 --- a/docs/application_development.md +++ b/docs/application_development.md @@ -695,7 +695,8 @@ submitted to the Hadoop cluster and executes as a multi-processapplication on Before you start deploying, testing and troubleshooting your application on a cluster, you should ensure that Hadoop (version 2.6.0 or later) is properly installed and -you have basic skills for working with it. +you have basic skills for working with it. Due to a known vulnerability in Apache Yarn, Apex community +recommends Hadoop version 2.7.4 or later. ------------------------------------------------------------------------ ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Whitelist CVE-2016-6811 > ----------------------- > > Key: APEXCORE-815 > URL: https://issues.apache.org/jira/browse/APEXCORE-815 > Project: Apache Apex Core > Issue Type: Task > Reporter: Vlad Rozov > Assignee: Vlad Rozov > Priority: Major > Fix For: 4.0.0 > > > There is an old vulnerability in Yarn version 2.7.3 and below (please see > [CVE-2016-6811|https://www.cvedetails.com/cve/CVE-2016-6811]) that was > recently marked as severity 9 and now it breaks Apex build. Based on my > analysis, the vulnerability affects Yarn cluster itself (see > [YARN-5121|https://issues.apache.org/jira/browse/YARN-5121]). -- This message was sent by Atlassian JIRA (v7.6.3#76005)