[
https://issues.apache.org/jira/browse/HADOOP-17860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17623819#comment-17623819
]
Steve Loughran commented on HADOOP-17860:
-----------------------------------------
[~toopt4] please review HADOOP-18487 and the PR to update our shaded protobuf
library https://github.com/apache/hadoop/pull/4418
we are an open source project which depends on contributions from the
community. if we can get those two PRs in then the 3.3.5 release will be free
of these issues. if we don't get the reviews and approval, then they will still
be in there.
*we need more than regular notifications of CVEs in dependencies in order to
make those CVEs to go away*
further reading:
https://steveloughran.blogspot.com/2022/08/transitive-issues.html
> Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities
> #CVE-2015-5237, CVE-2019-15544,
> ------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-17860
> URL: https://issues.apache.org/jira/browse/HADOOP-17860
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Sushanta Sen
> Priority: Major
>
> Third party jar protobuf-java-2.5.0.jar reports vulnerabilities #
> CVE-2015-5237, CVE-2019-15544 and need to be upgraded.
> CVE-2019-15544:
> Vulnerability Description:An issue was discovered in the protobuf crate
> before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve
> calls.
> CVE-2015-5237:
> Vulnerability Description:protobuf allows remote authenticated attackers to
> cause a heap-based buffer overflow.
>
> Please review and let me know if you have any concerns or would like to add
> more details to upgrade.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
