[
https://issues.apache.org/jira/browse/HADOOP-18848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17753569#comment-17753569
]
Steve Loughran commented on HADOOP-18848:
-----------------------------------------
going to say this is the ongoing "protobuf is a pita" issue. someone needs to
volunteer to own this *and it's not me* as someone in the hdfs or yarn team
needs to take ownership of something which is going to break their code more
than anything else
tagging as duplicate of HADOOP-18197
> Upgrade protobuf to 3.15.0 or newer
> -----------------------------------
>
> Key: HADOOP-18848
> URL: https://issues.apache.org/jira/browse/HADOOP-18848
> Project: Hadoop Common
> Issue Type: Improvement
> Components: hadoop-thirdparty
> Affects Versions: 3.3.5, 3.3.6
> Reporter: Craig W
> Priority: Major
>
> Hadoop includes a shaded version of protobuf-java (currently uses
> protobuf-java 3.7.1), however,
> [CVE-2021-22570|https://nvd.nist.gov/vuln/detail/CVE-2021-22570] is a HIGH
> vulnerability that can be fixed by upgrading to protobuf-java 3.15.0.
> Please consider upgrading hadoop-shaded-protobuf to this newer version.
>
> Relates to HADOOP-13363 and HADOOP-16821
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
