diff --git a/celeborn-0.6.advisories.yaml b/celeborn-0.6.advisories.yaml index 83288e8ac8..e11667940a 100644 --- a/celeborn-0.6.advisories.yaml +++ b/celeborn-0.6.advisories.yaml @@ -21,6 +21,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/ratis-thirdparty-misc-1.0.9.jar scanner: grype + - timestamp: 2025-10-27T13:59:48Z + type: pending-upstream-fix + data: + note: netty-codec is brought into celeborn via ratis (already on most recent version 3.2.0) pulling in ratis-thirdparty. Upstream maintainers must update ratis versions to pull in the fixed version of netty. - id: CGA-5hf2-h5q8-9hj9 aliases: @@ -39,6 +43,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar scanner: grype + - timestamp: 2025-10-27T14:20:15Z + type: pending-upstream-fix + data: + note: jackson-core is brought into celeborn via hadoop, which is already on the most recent version 3.4.2. Upstream maintainers of hadoop and celeborn will need to update the jackson-core version. - id: CGA-6x4w-p6ww-h8w6 aliases: @@ -57,6 +65,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar scanner: grype + - timestamp: 2025-10-27T14:18:05Z + type: pending-upstream-fix + data: + note: jackson-core is brought into celeborn via hadoop, which is already on the most recent version 3.4.2. Upstream maintainers of hadoop and celeborn will need to update the jackson-core version. - id: CGA-83gp-5pgm-4v7j aliases: @@ -75,6 +87,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/ratis-thirdparty-misc-1.0.9.jar scanner: grype + - timestamp: 2025-10-27T13:57:35Z + type: pending-upstream-fix + data: + note: netty-codec is brought into celeborn via ratis (already on most recent version 3.2.0) pulling in ratis-thirdparty. Upstream maintainers must update ratis versions to pull in the fixed version of netty. - id: CGA-f3jr-397v-cw8h aliases: @@ -93,6 +109,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar scanner: grype + - timestamp: 2025-10-27T14:38:54Z + type: pending-upstream-fix + data: + note: jetty-http is used directly by celeborn and is also brought in by hadoop. jetty 9 is EOL and upstream maintainers need to transition to jetty 12 to receive CVE fixes. See https://github.com/jetty/jetty.project/issues/12783. - id: CGA-jj82-g9w9-4xfr aliases: @@ -111,6 +131,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar scanner: grype + - timestamp: 2025-10-27T14:23:03Z + type: pending-upstream-fix + data: + note: nimbus-jose-jwt is brought into celeborn via hadoop, which is already on the most recent version 3.4.2. Upstream maintainers of hadoop and celeborn will need to update the jackson-core version. - id: CGA-q5j9-wq6q-3g58 aliases: @@ -129,6 +153,10 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/hadoop-client-runtime-3.4.2.jar scanner: grype + - timestamp: 2025-10-27T14:21:30Z + type: pending-upstream-fix + data: + note: commons-lang3 is brought into celeborn via hadoop, which is already on the most recent version 3.4.2. Upstream maintainers of hadoop and celeborn will need to update the jackson-core version. - id: CGA-v929-wm8j-8mwj aliases: @@ -147,3 +175,7 @@ advisories: componentType: java-archive componentLocation: /usr/share/java/celeborn/jars/ratis-thirdparty-misc-1.0.9.jar scanner: grype + - timestamp: 2025-10-27T13:59:09Z + type: pending-upstream-fix + data: + note: netty-codec is brought into celeborn via ratis (already on most recent version 3.2.0) pulling in ratis-thirdparty. Upstream maintainers must update ratis versions to pull in the fixed version of netty.