[TEZ-4353] Update commons-io to 2.8.0 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.10.0
Fix Version/s: 0.10.2
Component/s: None
Labels:
None

Description

https://nvd.nist.gov/vuln/detail/CVE-2021-29425

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

It is better to upgrade from 2.4 to 2.7 to fix the vulnerability.

As we are planning to be in sync with the hadoop dependencies version, it is better to upgrade to 2.8.0 as support to hadoop-3.3 is in progress(~~TEZ-4311~~)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

TEZ-4353.001.patch
16/Nov/21 08:50
0.4 kB
D M Murali Krishna Reddy

Issue Links

links to

GitHub Pull Request #165

Activity

People

Assignee:: D M Murali Krishna Reddy

Reporter:: D M Murali Krishna Reddy

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 16/Nov/21 08:02

Updated:: 25/Nov/21 12:23

Resolved:: 25/Nov/21 12:23

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

50m