Laszlo Czol created HDFS-15587: ---------------------------------- Summary: Hadoop Client version 3.2.1 vulnerability Key: HDFS-15587 URL: https://issues.apache.org/jira/browse/HDFS-15587 Project: Hadoop HDFS Issue Type: Wish Reporter: Laszlo Czol
I'm having a problem using hadoop-client version 3.2.1 in my dependency tree. It has a vulnerable jar: org.apache.hadoop : hadoop-mapreduce-client-core : 3.2.1 The code for the vulnerability is: CVE-2017-3166, basically _if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file_ The problem is that: if I'm updating for the 3.3.0 hadoop-client version the vulnerability remains and I wouldn't make a downgrade for the version 2.8.1 which is the next non-vulnerable version. Do you have any roadmap or any plan for this? -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org