I've approved your new user account Shahnoor. Please file a jira, e.g. "Update libthrift dependencies for CVEs". Thank you. -Aaron
On Mon, Jun 8, 2026 at 4:15 AM Alam, Shahnoor via security < [email protected]> wrote: > Hi Team, > > Could you please assist us with this? > > Regards, > Shahnoor > > *From: *Fatima Ansari, Nuzhat <[email protected]> > *Date: *Monday, 1 June 2026 at 3:33 PM > *To: *[email protected] <[email protected]> > *Cc: *Misra Parashar, Jyoti <[email protected]>; Shukla, > Vidur <[email protected]>; George, Rejish < > [email protected]>; Dussa, Hanisha <[email protected]>; > Singh, Manoj <[email protected]>; Kumar Sharma, Rohit B. < > [email protected]>; Alam, Shahnoor < > [email protected]> > *Subject: *RE: Inquiry regarding Jetty and Thrift dependency bumps in the > Hadoop 3.5.x line > > Hello Hadoop Community, > > > > Following up on my previous message regarding the libthrift and jetty > dependency updates for the Hadoop 3.5.x line, I provide the full list of > specific CVE IDs being flagged against *libthrift 0.22.0* inside the > hadoop-client-runtime-3.5.0.jar. > > For completeness and tracking against any upcoming JIRAs, the scanner is > surfacing the following vulnerabilities for the bundled Thrift version: > > - *CVE-2025-48431* > - *CVE-2026-41602* > - *CVE-2026-41603* > - *CVE-2026-41604* > - *CVE-2026-41605* > - *CVE-2026-41606* > - *CVE-2026-41607* > - *CVE-2026-43869* > - *CVE-2026-43870* > > > > As mentioned, we understand these were collectively addressed in the > upstream * libthrift 0.23.0* release. We wanted to share the full list of > IDs to ensure they are fully captured for the planning of the next > maintenance release (Hadoop 3.5.1). > Could you please share if there is an estimated timeline or target date > for when the community is planning the *Hadoop 3.5.1* release? > > > > Thank you again for your assistance and time! > > > > > > Best regards, > Nuzhat Ansari > > > > > > *From:* Fatima Ansari, Nuzhat > *Sent:* Monday, June 1, 2026 1:15 PM > *To:* [email protected] > *Cc:* Misra Parashar, Jyoti <[email protected]>; Shukla, > Vidur <[email protected]>; George, Rejish < > [email protected]>; Dussa, Hanisha <[email protected]>; > Singh, Manoj <[email protected]>; Kumar Sharma, Rohit B. < > [email protected]>; Alam, Shahnoor < > [email protected]> > *Subject:* Inquiry regarding Jetty and Thrift dependency bumps in the > Hadoop 3.5.x line > > > > Hello Hadoop Community, > > > > We are actively adopting the new *Hadoop 3.5.0* release line for our > client runtimes. However, our enterprise security scanners are surfacing > flags regarding older third-party versions shaded within the > hadoop-client-runtime-3.5.0.jar: > > - *Jetty 9.4.58.v20250814* is flagging *CVE-2026-5795* and > *CVE-2026-2332*. > - *Libthrift 0.22.0* is flagging *CVE-2026-43870*. > > > > Since the fixes for these CVEs (Jetty 9.4.61+ and Thrift 0.23.0) were > released shortly after Hadoop 3.5.0 was finalized, we understand why they > missed the cycle. > > Is there an active JIRA or an estimated timeline for a *Hadoop 3.5.1* > maintenance > release that will bump these dependencies to clear these scanner flags? > > Thank you for your hard work on the 3.5.0 release! > > > > > > Best regards, > > Nuzhat Ansari > > > > ------------------------------ > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you have > received it in error, please notify the sender immediately and delete the > original. Any other use of the e-mail by you is prohibited. Where allowed > by local law, electronic communications with Accenture and its affiliates, > including e-mail and instant messaging (including content), may be scanned > by our systems for the purposes of information security, AI-powered support > capabilities, and assessment of internal compliance with Accenture policy. > Your privacy is important to us. Accenture uses your personal data only in > compliance with data protection laws. For further information on how > Accenture processes your personal data, please see our privacy statement at > https://www.accenture.com/us-en/privacy-policy. > > ______________________________________________________________________________________ > > www.accenture.com >
