BartMiki opened a new issue, #14454: URL: https://github.com/apache/druid/issues/14454
### Affected Version * 25.0.0 * 26.0.0 * 27.0.0-SNAPSHOT ### Description Current builds of Apache Druid in versions 25.0.0, 26.0.0, and the newest snapshot, are using Ranger dependency in version 2.0.0. This however has a transient dependency on log4j 1.27 which is extremely vulnerable. The presence of log4j 1.x raises vulnerability alerts in automatic builds in one of our clients. There is an inactive issue with a similar problem https://github.com/apache/druid/issues/9629, but we created this issue as we only want to update the Ranger extension. We already created a fork of the extension in our [repo](https://github.com/deep-bi/druid-ranger-security/tree/main) for Druid 25.0.0 and 26.0.0. We would like to contribute this change to the Druid source directly for all new versions of the Druid. There may be a problem as the new Ranger dependency is heavy. It depends on an Amazon library with a jar size of 200 MB. Looking at this issue https://github.com/apache/druid/issues/11125 it may be a problem. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
