pjfanning commented on PR #7128: URL: https://github.com/apache/hadoop/pull/7128#issuecomment-2466441399
> Here's my draft Commit Message > > We need to highlight it is not backwards compatibility, and include the CVEs to make log scanning find them. > > Does it seem good? > > [HADOOP-19315](https://issues.apache.org/jira/browse/HADOOP-19315). Upgrade Apache Avro to 1.11.4 > > * All field access is now via setter/getter methods > * To use Avro to marshal Serializable objects, > the packages they are in must be declared in the system property > "org.apache.avro.SERIALIZABLE_PACKAGES" > > This is required to address > > * [CVE-2024-47561](https://github.com/advisories/GHSA-r7pg-v2c8-mfg3) > * [CVE-2023-39410](https://github.com/advisories/GHSA-rhrv-645h-fjfh) > > This change is not backwards compatible. > > Contributed by Dominik Diedrich * Looks good to me. I presume that this can't be merged to Hadoop 3.4.2 due to the compatibility issues. * Should this PR update the shell scripts to set the org.apache.avro.SERIALIZABLE_PACKAGES system property? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
