You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@tez.apache.org by "László Bodor (Jira)" <ji...@apache.org> on 2021/11/19 08:55:00 UTC

[jira] [Comment Edited] (TEZ-4353) Update commons-io to 2.7

    [ https://issues.apache.org/jira/browse/TEZ-4353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17446369#comment-17446369 ] 

László Bodor edited comment on TEZ-4353 at 11/19/21, 8:54 AM:
--------------------------------------------------------------

thanks for the patch [~dmmkr]!
There is a hadoop 3.3.1 upgrade in progress (TEZ-4311), after which we're trying to stay synchronized with Hadoop's dependencies. As far as I can see, there is commons-io 2.8.0 there on hadoop/branch-3.3.1, maybe we can jump to that version now if it doesn't cause any issues at the moment, could you please check?


was (Author: abstractdog):
thanks for the patch [~dmmkr]!
There is a hadoop 3.3.1 upgrade in progress (TEZ-4311), after which we're trying to stay synchronized with Hadoop's dependencies. As far as I can see, there is commons-io 2.8.0 there on branch-3.3.1, maybe we can jump to that version now if it doesn't cause any issues at the moment, could you please check?

> Update commons-io to 2.7
> ------------------------
>
>                 Key: TEZ-4353
>                 URL: https://issues.apache.org/jira/browse/TEZ-4353
>             Project: Apache Tez
>          Issue Type: Improvement
>    Affects Versions: 0.10.0
>            Reporter: D M Murali Krishna Reddy
>            Assignee: D M Murali Krishna Reddy
>            Priority: Major
>         Attachments: TEZ-4353.001.patch
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> [https://nvd.nist.gov/vuln/detail/CVE-2021-29425]
> In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
> It is better to upgrade from 2.4 to 2.7 to fix the vulnerability.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)