[HADOOP-17683] Update commons-io to 2.8.0 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.3.1, 3.4.0
Fix Version/s: 3.3.1, 3.4.0
Component/s: build, common
Labels:
- pull-request-available

Target Version/s:

3.3.1, 3.4.0
Hadoop Flags:

Reviewed

Description

https://nvd.nist.gov/vuln/detail/CVE-2021-29425

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

We don't use this API in the Hadoop code, but it's still good to update anyway (we're on 2.5, which is 4 years old)

Attachments

Issue Links

breaks

MAPREDUCE-7348 TestFrameworkUploader#testNativeIO fails

Resolved

is related to

HADOOP-17972 Backport HADOOP-17683 for branch-3.2

Resolved

links to

GitHub Pull Request #2974

Activity

People

Assignee:: Akira Ajisaka

Reporter:: Wei-Chiu Chuang

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 04/May/21 08:44

Updated:: 12/Feb/24 07:34

Resolved:: 12/May/21 02:04

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

40m