[jira] [Work logged] (HADOOP-18197) Update protobuf 3.7.1 to a version without CVE-2021-22569

Thu, 09 Jun 2022 05:10:05 -0700 


     [ 
https://issues.apache.org/jira/browse/HADOOP-18197?focusedWorklogId=779906&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-779906
 ]

ASF GitHub Bot logged work on HADOOP-18197:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/Jun/22 12:09
            Start Date: 09/Jun/22 12:09
    Worklog Time Spent: 10m 
      Work Description: steveloughran commented on PR #19:
URL: https://github.com/apache/hadoop-thirdparty/pull/19#issuecomment-1151040619

   aah, i see the discussion. ok. that complicates life even more. really not 
sure what to do here. 
   
   if we were exporting a module for other to use, that version in module names 
makes sense. if this is for internal use *only* then not giving it a name works 
better.
   
   what to do here? 
   1. rename the module and pom artifacts and then have hadoop versions import 
the protobuf_3_21 module
   2. keep both side by side
   
   if the repackaging retains the names of the paths then after adding a new 
module with the new version, new compilations will link with the new lib, but 
old stuff will still work




Issue Time Tracking
-------------------

    Worklog Id:     (was: 779906)
    Time Spent: 0.5h  (was: 20m)

> Update protobuf 3.7.1 to a version without CVE-2021-22569
> ---------------------------------------------------------
>
>                 Key: HADOOP-18197
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18197
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Ivan Viaznikov
>            Priority: Major
>              Labels: pull-request-available, security
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> The artifact `org.apache.hadoop:hadoop-common` brings in a dependency 
> `com.google.protobuf:protobuf-java:2.5.0`, which is an outdated version 
> released in 2013 and it contains a vulnerability 
> [CVE-2021-22569|https://nvd.nist.gov/vuln/detail/CVE-2021-22569].
> Therefore, requesting you to clarify if this library version is going to be 
> updated in the following releases



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to