Hi Dan, We usually get a new thirdparty release before the main hadoop release, so the newer commits part of hadoop-thirdparty would most probably be released and would be part of the next 3.4.0 or 3.3.x release, supposedly to happen in early of next year.
Regarding the guava stuff, we use the shaded guava from hadoop-thirdparty in the hadoop code, so the one there in the hadoop code(HADOOP-18843) doesn't cause any CVE issues to hadoop code, that is just kept for the thirdparty libs which we pull in transitively -Ayush On Fri, 15 Dec 2023 at 22:25, Dan Huff <dan.h...@dremio.com.invalid> wrote: > > Hello Hadoop Devs-- > > I have a question about the hadoop-thirdparty repository. > > Recent commits have addressed a couple CVEs for packages used in > hadoop-thirdparty. CVE-2023-39410 for avro was addressed by > https://github.com/apache/hadoop-thirdparty/commit/910f2c9 and > CVE-2023-2976 for guava was addressed by > https://github.com/apache/hadoop-thirdparty/commit/52c38fe. I also saw that > a similar update for guava is being proposed for Hadoop Common via > HADOOP-19005. > > Is there a possibility of a 1.1.2 release being cut for hadoop-thirdparty > to get these fixes released? > > Thanks for your time, > > Dan Huff --------------------------------------------------------------------- To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-dev-h...@hadoop.apache.org
