[HADOOP-18512] upgrade woodstox-core to 5.4.0 for security fix - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.3.4
Fix Version/s: 3.4.0, 3.3.5
Component/s: common
Labels:
- pull-request-available

Target Version/s:

3.4.0, 3.3.5
Hadoop Flags:

Reviewed

Description

Per issue, woodstox-core 5.3.0 has security vulnerability and need to upgrade to 5.4.0 for fix.

The Hadoop Configuration classes uses woodstox to parse the XML format (core-site.xml, ...) but

people don't normally put in DTDs
the XML format is not the wire format used when applications submit jobs to the yarn resource manager.
when parsing untrusted XML configuration files in restricted mode (eg. oozie workflows), DTD support is already disabled

Attachments

Issue Links

links to

GitHub Pull Request #5087

Activity

People

Assignee:: PJ Fanning

Reporter:: phoebe chen

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 27/Oct/22 21:05

Updated:: 27/Jan/24 09:05

Resolved:: 01/Nov/22 18:53