[YARN-11611] Remove json-io to 4.14.1 due to CVE-2023-34610 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.0
Fix Version/s: 3.4.0
Component/s: yarn
Labels:
- pull-request-available

Target Version/s:

3.4.0
Hadoop Flags:

Reviewed

Description

An issue was discovered in json-io 4.14.0 that allows attackers to cause a denial of service via crafted object that uses cyclic dependencies. de.ruedigermoeller:fst only imports java-util (and through that json-io) as a test dependency, so I think we can safely add an exclusion for it.

Attachments

Issue Links

links to

GitHub Pull Request #6257

Activity

People

Assignee:: Benjamin Teke

Reporter:: Benjamin Teke

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06/Nov/23 15:20

Updated:: 28/Jan/24 00:39

Resolved:: 28/Nov/23 13:47