[
https://issues.apache.org/jira/browse/HADOOP-19830?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran updated HADOOP-19830:
------------------------------------
Priority: Minor (was: Major)
> AWS SDK v1 dependencies in hadoop-aws library
> ---------------------------------------------
>
> Key: HADOOP-19830
> URL: https://issues.apache.org/jira/browse/HADOOP-19830
> Project: Hadoop Common
> Issue Type: Improvement
> Components: build, fs/s3
> Affects Versions: 3.4.3
> Reporter: Mykyta Danylchenko
> Priority: Minor
>
> The `hadoop-aws`
> [library|https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws]
> contains a dependency on the `com.amazonaws:aws-java-sdk-core` library, which
> AWS no longer patches, including for security vulnerabilities. This forces
> every downstream consumer, for example
> [spark-core|https://mvnrepository.com/artifact/org.apache.spark/spark-core],
> to carry an end-of-life dependency with no remediation path, resulting in
> unpatched vulnerabilities and compliance failures.
> It would be great to replace `aws-java-sdk-core` with the equivalent
> counterpart from AWS SDK for Java 2.x.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
