[jira] [Commented] (HADOOP-18317) Clarify in which branch CVE-2022-26612 is fixed

Andrew Olson (Jira) Mon, 30 Sep 2024 07:33:16 -0700


    [ 
https://issues.apache.org/jira/browse/HADOOP-18317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17885925#comment-17885925
 ]


Andrew Olson commented on HADOOP-18317:
---------------------------------------

Confirming 2.10.2: 
[https://github.com/apache/hadoop/commits/rel/release-2.10.2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java]

Confirming 3.2.3: 
[https://github.com/apache/hadoop/commits/rel/release-3.2.3/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java]
 

Confirming 3.3.3: 
[https://github.com/apache/hadoop/commits/rel/release-3.3.3/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java]
 

Confirming 3.4.0: 
[https://github.com/apache/hadoop/commits/rel/release-3.4.0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java]

Where applicable the commit history of the previous patch version can be 
inspected as confirmation that these are the initial inclusions for this 
correction in each x.y version.

The CVE db should be updated if possible.

> Clarify in which branch CVE-2022-26612 is fixed
> -----------------------------------------------
>
>                 Key: HADOOP-18317
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18317
>             Project: Hadoop Common
>          Issue Type: Task
>          Components: common
>            Reporter: Alex Dettinger
>            Priority: Major
>
> According to HADOOP-18198, CVE-2022-26612 has been fixed in version 3.3.3.
> The underlying ticket where the fix occured is HADOOP-18155. This ticket has 
> fix version including 2.10.2.
> On top of that, it's clear to me that CVE-2022-26612 is fixed in 
> hadoop-common:2.10.2.
> Howerver, it is still reported as an issue in different places:
>  * [https://github.com/advisories/GHSA-gx2c-fvhc-ph4j]
>  * [https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common/2.10.2]
> It may just be a false positive in a CVE database, still I prefer to 
> double-check with the hadoop community.
> So, could you please state here whether CVE-2022-26612 is really fixed in 
> below version of hadoop-common ?
>  * >= 2.10.2
>  * >= 3.2.3
>  * >= 3.3.3
>  * >= 3.4.0



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (HADOOP-18317) Clarify in which branch CVE-2022-26612 is fixed

Reply via email to