[ https://issues.apache.org/jira/browse/HDFS-15587?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Steve Loughran resolved HDFS-15587. ----------------------------------- Resolution: Invalid > Hadoop Client version 3.2.1 vulnerability > ----------------------------------------- > > Key: HDFS-15587 > URL: https://issues.apache.org/jira/browse/HDFS-15587 > Project: Hadoop HDFS > Issue Type: Wish > Reporter: Laszlo Czol > Priority: Minor > > I'm having a problem using hadoop-client version 3.2.1 in my dependency > tree. It has a vulnerable jar: org.apache.hadoop : > hadoop-mapreduce-client-core : 3.2.1 The code for the vulnerability is: > CVE-2017-3166, basically _if a file in an encryption zone with access > permissions that make it world readable is localized via YARN's localization > mechanism, that file will be stored in a world-readable location and can be > shared freely with any application that requests to localize that file_ The > problem is that: if I'm updating for the 3.3.0 hadoop-client version the > vulnerability remains and I wouldn't make a downgrade for the version 2.8.1 > which is the next non-vulnerable version. > Do you have any roadmap or any plan for this? -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org