Laszlo Czol created HDFS-15587:
----------------------------------
Summary: Hadoop Client version 3.2.1 vulnerability
Key: HDFS-15587
URL: https://issues.apache.org/jira/browse/HDFS-15587
Project: Hadoop HDFS
Issue Type: Wish
Reporter: Laszlo Czol
I'm having a problem using hadoop-client version 3.2.1 in my dependency tree.
It has a vulnerable jar: org.apache.hadoop : hadoop-mapreduce-client-core :
3.2.1 The code for the vulnerability is: CVE-2017-3166, basically _if a file in
an encryption zone with access permissions that make it world readable is
localized via YARN's localization mechanism, that file will be stored in a
world-readable location and can be shared freely with any application that
requests to localize that file_ The problem is that: if I'm updating for the
3.3.0 hadoop-client version the vulnerability remains and I wouldn't make a
downgrade for the version 2.8.1 which is the next non-vulnerable version.
Do you have any roadmap or any plan for this?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
