[
https://issues.apache.org/jira/browse/HDFS-15587?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran resolved HDFS-15587.
-----------------------------------
Resolution: Invalid
> Hadoop Client version 3.2.1 vulnerability
> -----------------------------------------
>
> Key: HDFS-15587
> URL: https://issues.apache.org/jira/browse/HDFS-15587
> Project: Hadoop HDFS
> Issue Type: Wish
> Reporter: Laszlo Czol
> Priority: Minor
>
> I'm having a problem using hadoop-client version 3.2.1 in my dependency
> tree. It has a vulnerable jar: org.apache.hadoop :
> hadoop-mapreduce-client-core : 3.2.1 The code for the vulnerability is:
> CVE-2017-3166, basically _if a file in an encryption zone with access
> permissions that make it world readable is localized via YARN's localization
> mechanism, that file will be stored in a world-readable location and can be
> shared freely with any application that requests to localize that file_ The
> problem is that: if I'm updating for the 3.3.0 hadoop-client version the
> vulnerability remains and I wouldn't make a downgrade for the version 2.8.1
> which is the next non-vulnerable version.
> Do you have any roadmap or any plan for this?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
