[
https://issues.apache.org/jira/browse/HADOOP-18197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577359#comment-17577359
]
Steve Loughran commented on HADOOP-18197:
-----------------------------------------
bq. Just out of curiosity: what's the plan for protobuf 2.5.0 in older
releases, e.g.: branch-2.10.2 or branch-3.2.3/4. Do we plan to update it to
2.6.1 or would that break things because it was not shaded? And what about
newer branches and trunk should we just not ship the 2.5.0 jar?
nothing. if you search through the mail archives of "the great protobuf
upgrade", some time before hadoop 2 shipped, yoy will understand why. only with
a private shaded protobuf lib or simultaneous rebuild of every application can
you upgrade
> Update protobuf 3.7.1 to a version without CVE-2021-22569
> ---------------------------------------------------------
>
> Key: HADOOP-18197
> URL: https://issues.apache.org/jira/browse/HADOOP-18197
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Ivan Viaznikov
> Priority: Major
> Labels: pull-request-available, security
> Time Spent: 50m
> Remaining Estimate: 0h
>
> The artifact `org.apache.hadoop:hadoop-common` brings in a dependency
> `com.google.protobuf:protobuf-java:2.5.0`, which is an outdated version
> released in 2013 and it contains a vulnerability
> [CVE-2021-22569|https://nvd.nist.gov/vuln/detail/CVE-2021-22569].
> Therefore, requesting you to clarify if this library version is going to be
> updated in the following releases
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
