Thanks for the super helpful response Ayush. That gave me all the answers I needed.
Dan On Fri, Dec 15, 2023 at 11:06 AM Ayush Saxena <ayush...@gmail.com> wrote: > Hi Dan, > We usually get a new thirdparty release before the main hadoop > release, so the newer commits part of hadoop-thirdparty would most > probably be released and would be part of the next 3.4.0 or 3.3.x > release, supposedly to happen in early of next year. > > Regarding the guava stuff, we use the shaded guava from > hadoop-thirdparty in the hadoop code, so the one there in the hadoop > code(HADOOP-18843) doesn't cause any CVE issues to hadoop code, that > is just kept for the thirdparty libs which we pull in transitively > > -Ayush > > On Fri, 15 Dec 2023 at 22:25, Dan Huff <dan.h...@dremio.com.invalid> > wrote: > > > > Hello Hadoop Devs-- > > > > I have a question about the hadoop-thirdparty repository. > > > > Recent commits have addressed a couple CVEs for packages used in > > hadoop-thirdparty. CVE-2023-39410 for avro was addressed by > > https://github.com/apache/hadoop-thirdparty/commit/910f2c9 and > > CVE-2023-2976 for guava was addressed by > > https://github.com/apache/hadoop-thirdparty/commit/52c38fe. I also saw > that > > a similar update for guava is being proposed for Hadoop Common via > > HADOOP-19005. > > > > Is there a possibility of a 1.1.2 release being cut for hadoop-thirdparty > > to get these fixes released? > > > > Thanks for your time, > > > > Dan Huff >
