[
https://issues.apache.org/jira/browse/HADOOP-18197?focusedWorklogId=780062&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-780062
]
ASF GitHub Bot logged work on HADOOP-18197:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 09/Jun/22 17:14
Start Date: 09/Jun/22 17:14
Worklog Time Spent: 10m
Work Description: ayushtkn commented on PR #19:
URL: https://github.com/apache/hadoop-thirdparty/pull/19#issuecomment-1151391473
Hbase does shade protobuf and doesn't suffix the version I suppose:
https://github.com/apache/hbase-thirdparty/blob/master/hbase-shaded-protobuf/pom.xml#L25
We are using this internally only I guess, the version will be tied with
hadoop-thirdparty release version. So, If I have to choose one option, I would
choose to keep the name same.
If we choose to keep changing the name for some reason, we should start that
with guava as well at least for future releases.
Issue Time Tracking
-------------------
Worklog Id: (was: 780062)
Time Spent: 40m (was: 0.5h)
> Update protobuf 3.7.1 to a version without CVE-2021-22569
> ---------------------------------------------------------
>
> Key: HADOOP-18197
> URL: https://issues.apache.org/jira/browse/HADOOP-18197
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Ivan Viaznikov
> Priority: Major
> Labels: pull-request-available, security
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The artifact `org.apache.hadoop:hadoop-common` brings in a dependency
> `com.google.protobuf:protobuf-java:2.5.0`, which is an outdated version
> released in 2013 and it contains a vulnerability
> [CVE-2021-22569|https://nvd.nist.gov/vuln/detail/CVE-2021-22569].
> Therefore, requesting you to clarify if this library version is going to be
> updated in the following releases
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
