Thank you Ayush for the reply, we followed the same approach. Also, 3PP stands for 3rd Party Product.
Regards Sonal Sharma. From: Ayush Saxena <ayush...@gmail.com> Sent: Tuesday, July 9, 2024 2:20 PM To: Sonal Sharma A <sonal.a.sha...@ericsson.com> Cc: user@hadoop.apache.org Subject: Re: Queries wrt HDFS 3.4.0 You don't often get email from ayush...@gmail.com<mailto:ayush...@gmail.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hi Sonal, It is more like a question for common-compress, if that dependency is backward compatible, things should work. We don't test such scenarios, In an ideal scenario, we should be using the versions packaged with the hadoop release. Regarding Avro that could be problematic, if you see the past discussions: HADOOP-13386<https://issues.apache.org/jira/browse/HADOOP-13386> btw. I couldn't decode what is 3pp -Ayush On Tue, 9 Jul 2024 at 14:06, Sonal Sharma A <sonal.a.sha...@ericsson.com.invalid<mailto:sonal.a.sha...@ericsson.com.invalid>> wrote: Hello Team, We are planning to upgrade to HDFS 3.4.0 (client side) which fixes majority of the CVEs listed by our scan reports. However we have three CVEs on transitive 3PPs included in hadoop-common which are not fixed in HDFS v3.4.0. Our query is that if we update the individual transitive 3PPs to the versions in which CVEs are fixed, then Is HDFS client 3.4.0 compatible with these versions? For example, Is HDFS client 3.4.0 compatible with commons-compress-1.26.0 and apache-avro-1.11.3? CVE Id Current Version - HDFS 3.3.6 Updated version - HDFS3.4.0 CVE Fixed in 3pp Version Severity CVE-2024-25710 commons-compress-1.21 commons-compress-1.24.0 commons-compress-1.26.0 High CVE-2024-26308 commons-compress-1.21 commons-compress-1.24.0 commons-compress-1.26.0 High CVE-2023-39410 avro:1.7.7 avro:1.9.2 apache-avro version 1.11.3 High Regards Sonal Sharma