[jira] [Work logged] (HADOOP-18197) Update protobuf 3.7.1 to a version without CVE-2021-22569

Thu, 28 Jul 2022 06:41:07 -0700 


     [ 
https://issues.apache.org/jira/browse/HADOOP-18197?focusedWorklogId=796073&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-796073
 ]

ASF GitHub Bot logged work on HADOOP-18197:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 28/Jul/22 13:40
            Start Date: 28/Jul/22 13:40
    Worklog Time Spent: 10m 
      Work Description: steveloughran commented on PR #19:
URL: https://github.com/apache/hadoop-thirdparty/pull/19#issuecomment-1198157881

   thinking of doing it differently
   * add the 3.21 stuff parallel to the 3.7
   * all our own code switches to the new shaded release
   * delete the old version
   
   this will break anything linked to the old one. I'd thought about leaving it 
there, but then thought about how you would get a maven build to do that and 
concluded that "it would get so complex, so fast, it's only justifiable if we 
know external code uses it. Or that people may want to drop this jar in in 
place of the previous one?




Issue Time Tracking
-------------------

    Worklog Id:     (was: 796073)
    Time Spent: 50m  (was: 40m)

> Update protobuf 3.7.1 to a version without CVE-2021-22569
> ---------------------------------------------------------
>
>                 Key: HADOOP-18197
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18197
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Ivan Viaznikov
>            Priority: Major
>              Labels: pull-request-available, security
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> The artifact `org.apache.hadoop:hadoop-common` brings in a dependency 
> `com.google.protobuf:protobuf-java:2.5.0`, which is an outdated version 
> released in 2013 and it contains a vulnerability 
> [CVE-2021-22569|https://nvd.nist.gov/vuln/detail/CVE-2021-22569].
> Therefore, requesting you to clarify if this library version is going to be 
> updated in the following releases



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to