HADOOP-18561. Update commons-net to 3.9.0 (#5214)

[steveloughran]

Addresses CVE-2021-37533, which only relates to FTP.

Applications not using the ftp:// filesystem, which, as anyone who has used it will know is very minimal and so rarely used, is not a critical part of the project.

Furthermore, the FTP-related issue is at worst information leakage if someone connects to a malicious server.

This is a due diligence PR rather than an emergency fix.

Contributed by Steve Loughran

Description of PR

branch-3.3 backport of #5214

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 55s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+0 🆗	shelldocs	0m 0s		Shelldocs was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ branch-3.3 Compile Tests _
+0 🆗	mvndep	14m 44s		Maven dependency ordering for branch
+1 💚	mvninstall	26m 55s		branch-3.3 passed
+1 💚	compile	19m 5s		branch-3.3 passed
+1 💚	mvnsite	21m 59s		branch-3.3 passed
+1 💚	javadoc	7m 58s		branch-3.3 passed
+1 💚	shadedclient	32m 55s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 31s		Maven dependency ordering for patch
+1 💚	mvninstall	26m 17s		the patch passed
+1 💚	compile	20m 29s		the patch passed
-1 ❌	javac	20m 29s	/results-compile-javac-root.txt	root generated 3 new + 1862 unchanged - 0 fixed = 1865 total (was 1862)
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	21m 59s		the patch passed
+1 💚	shellcheck	0m 0s		No new issues.
+1 💚	javadoc	7m 15s		the patch passed
+1 💚	shadedclient	32m 10s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
-1 ❌	unit	776m 25s	/patch-unit-root.txt	root in the patch passed.
+1 💚	asflicense	2m 15s		The patch does not generate ASF License warnings.
		999m 46s

Reason	Tests
Failed junit tests	hadoop.yarn.server.resourcemanager.reservation.TestCapacityOverTimePolicy
	hadoop.yarn.server.timelineservice.security.TestTimelineAuthFilterForV2
	hadoop.yarn.client.TestRMFailover
	hadoop.fs.contract.router.web.TestRouterWebHDFSContractCreate
	hadoop.hdfs.TestLeaseRecovery2
	hadoop.hdfs.server.datanode.TestBPOfferService
	hadoop.hdfs.TestFileLengthOnClusterRestart
	hadoop.hdfs.TestReconstructStripedFileWithValidator
	hadoop.hdfs.TestFileCreation
	hadoop.hdfs.server.namenode.TestDiskspaceQuotaUpdate
	hadoop.hdfs.TestErasureCodingPolicyWithSnapshotWithRandomECPolicy
	hadoop.hdfs.TestErasureCodingPolicyWithSnapshot

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5227/2/artifact/out/Dockerfile
GITHUB PR	#5227
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs
uname	Linux 5eb2708445e1 4.15.0-200-generic #211-Ubuntu SMP Thu Nov 24 18:16:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	branch-3.3 / 3f57e7b
Default Java	Private Build-1.8.0_352-8u352-ga-1~18.04-b08
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5227/2/testReport/
Max. process+thread count	2901 (vs. ulimit of 5500)
modules	C: hadoop-project . U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5227/2/console
versions	git=2.17.1 maven=3.6.0 shellcheck=0.4.6
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[steveloughran]

test failures are hdfs. a mix of disk capacity and timeouts. I'm assuming these are not related to commons-net as they don't reoccur on branch-3.3.5 with the patch and they don't use the bits of code with commons-net in (ftp and some dns)

[steveloughran]

+1, merging