[jira] [Commented] (APEXCORE-815) Whitelist CVE-2016-6811

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (APEXCORE-815) Whitelist CVE-2016-6811

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/APEXCORE-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16477439#comment-16477439 ]

ASF GitHub Bot commented on APEXCORE-815:

tweise closed pull request #601: APEXCORE-815 Whitelist CVE-2016-6811
URL: https://github.com/apache/apex-core/pull/601

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/dependency-check-whitelist.xml b/dependency-check-whitelist.xml
index 700c986860..a8c4fbcbf1 100644
--- a/dependency-check-whitelist.xml
+++ b/dependency-check-whitelist.xml
@@ -20,4 +20,7 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+  <suppress>
+    <cve>CVE-2016-6811</cve>
+  </suppress>
diff --git a/docs/application_development.md b/docs/application_development.md
index 6bfa3fdd63..f3398e2a3b 100644
--- a/docs/application_development.md
+++ b/docs/application_development.md
@@ -695,7 +695,8 @@ submitted to the Hadoop cluster and executes as a  multi-processapplication on 
 Before you start deploying, testing and troubleshooting your
 application on a cluster, you should ensure that Hadoop (version 2.6.0
 or later) is properly installed and
-you have basic skills for working with it.
+you have basic skills for working with it. Due to a known vulnerability in Apache Yarn, Apex community
+recommends Hadoop version 2.7.4 or later.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[hidden email]

> Whitelist CVE-2016-6811
> -----------------------
>                 Key: APEXCORE-815
>                 URL: https://issues.apache.org/jira/browse/APEXCORE-815
>             Project: Apache Apex Core
>          Issue Type: Task
>            Reporter: Vlad Rozov
>            Assignee: Vlad Rozov
>            Priority: Major
>             Fix For: 4.0.0
> There is an old vulnerability in Yarn version 2.7.3 and below (please see [CVE-2016-6811|https://www.cvedetails.com/cve/CVE-2016-6811]) that was recently marked as severity 9 and now it breaks Apex build.  Based on my analysis, the vulnerability affects Yarn cluster itself (see [YARN-5121|https://issues.apache.org/jira/browse/YARN-5121]).

This message was sent by Atlassian JIRA