This is an automated email from the ASF dual-hosted git repository.
mchades pushed a commit to branch branch-1.3
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/branch-1.3 by this push:
new 6332213bc6 [Cherry-pick to branch-1.3] [#10457][followup]fix(deps):
Exclude log4j 1.x globally (CVE-2020-9493) (#11506) (#11545)
6332213bc6 is described below
commit 6332213bc6a219a96e41cf65212d82fae1b86ea3
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Wed Jun 10 18:02:25 2026 +0800
[Cherry-pick to branch-1.3] [#10457][followup]fix(deps): Exclude log4j 1.x
globally (CVE-2020-9493) (#11506) (#11545)
**Cherry-pick Information:**
- Original commit: b433b20c8aadd4946523b221c9c031f604cab8cd
- Target branch: `branch-1.3`
- Status: ✅ Clean cherry-pick (no conflicts)
Co-authored-by: Bharath Krishna <[email protected]>
---
build.gradle.kts | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/build.gradle.kts b/build.gradle.kts
index 91cc57796d..26fd64bd1e 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -342,6 +342,10 @@ subprojects {
configurations.all {
resolutionStrategy.force("commons-beanutils:commons-beanutils:$commonsBeanutilsVersion")
resolutionStrategy.force("org.xerial.snappy:snappy-java:$snappyJavaVersion")
+
+ // Exclude log4j 1.x (CVE-2020-9493, CVSS 9.8) pulled transitively by Hive
and Hadoop.
+ // The safe log4j-1.2-api bridge from Log4j 2.x is already included in the
log4j bundle.
+ exclude(group = "log4j", module = "log4j")
}
repositories {
