[
https://issues.apache.org/jira/browse/HADOOP-19792?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18054613#comment-18054613
]
Shubham Kalloli edited comment on HADOOP-19792 at 1/27/26 1:01 PM:
-------------------------------------------------------------------
Hi [~pj.fanning], I am working on remediating
[CVE-2025-55163|https://nvd.nist.gov/vuln/detail/CVE-2025-55163]. It is being
transitively introduced by the Google Cloud Storage dependency in Hadoop GCP
module(as shown by the dependency tree snippet below). For this, I have created
the ticket HADOOP-19791
{quote}{{[INFO] org.apache.hadoop:hadoop-gcp:jar:3.5.0-SNAPSHOT}}
{{[INFO] - com.google.cloud:google-cloud-storage:jar:2.52.0:compile}}
{{[INFO] - io.grpc:grpc-netty-shaded:jar:1.70.0:runtime}}
{quote}
In v2.60.0, Google Cloud Storage upgraded GRPC Netty Shaded to version 1.75.0
or later, which contains the fix for this CVE (uses Netty 4.1.124.Final). This
version uses Protobuf Java 3.25.8 and Guava 33.5.0
As per the {{pom.xml}} in {{hadoop-cloud-storage-project/hadoop-gcp}} (Line
454), versions should be compatible with the GCS jar to avoid dependency
conflicts.
{quote}{{<!--}}
{{Use specific Guava and Protobuf versions to ensure compatibility with the}}
{{Google Cloud Storage (GCS) client. The GCS client often relies on}}
{{particular Long-Term Support (LTS) versions. Keep these versions in sync}}
{{with the transitive dependencies of}}
{{com.google.cloud:google-cloud-storage. To prevent dependency conflicts,}}
{{these will be shaded in the hadoop-gcp jar.}}
{{-->}}
{quote}
As rightly stated, it would be a maintenance nightmare to maintain different
versions of libs in different modules. To avoid this, I am planning to
uniformly upgrade Protobuf to 3.25.8 and Guava to 33.5.0.
My proposed approach is:
# Upgrade the Protobuf and Guava versions in the Hadoop Thirdparty repository
(should this be done under a separate ticket?)
# Wait for the release in the Hadoop Thirdparty repository
# Make the corresponding changes for Protobuf and Guava in the main Hadoop
repository.
# Upgrade the GCS Jar in HADOOP-19791
Please let me know if you need any additional details and looking forward to
your feedback
Hi [~chengpan], noted, and thanks for the pointers.
was (Author: JIRAUSER311873):
Hi [~pj.fanning], I am working on remediating
[CVE-2025-55163|https://nvd.nist.gov/vuln/detail/CVE-2025-55163]. It is being
transitively introduced by the Google Cloud Storage dependency in Hadoop GCP
module. For this, I have created the ticket HADOOP-19791
{quote}{{[INFO] org.apache.hadoop:hadoop-gcp:jar:3.5.0-SNAPSHOT}}
{{[INFO] \- com.google.cloud:google-cloud-storage:jar:2.52.0:compile}}
{{[INFO] \- io.grpc:grpc-netty-shaded:jar:1.70.0:runtime}}
{quote}
In v2.60.0, Google Cloud Storage upgraded GRPC Netty Shaded to version 1.75.0
or later, which contains the fix for this CVE (uses Netty 4.1.124.Final). This
version uses Protobuf Java 3.25.8 and Guava 33.5.0
As per the {{pom.xml}} in {{hadoop-cloud-storage-project/hadoop-gcp}} (Line
454), versions should be compatible with the GCS jar to avoid dependency
conflicts.
{quote}{{<!--}}
{{Use specific Guava and Protobuf versions to ensure compatibility with the}}
{{Google Cloud Storage (GCS) client. The GCS client often relies on}}
{{particular Long-Term Support (LTS) versions. Keep these versions in sync}}
{{with the transitive dependencies of}}
{{com.google.cloud:google-cloud-storage. To prevent dependency conflicts,}}
{{these will be shaded in the hadoop-gcp jar.}}
{{-->}}
{quote}
As rightly stated, it would be a maintenance nightmare to maintain different
versions of libs in different modules. To avoid this, I am planning to
uniformly upgrade Protobuf to 3.25.8 and Guava to 33.5.0.
My proposed approach is:
# Upgrade the Protobuf and Guava versions in the Hadoop Thirdparty repository
(should this be done under a separate ticket?)
# Wait for the release in the Hadoop Thirdparty repository
# Make the corresponding changes for Protobuf and Guava in the main Hadoop
repository.
# Upgrade the GCS Jar in HADOOP-19791
Please let me know if you need any additional details and looking forward to
your feedback
Hi [~chengpan], noted, and thanks for the pointers.
> Upgrade Protobuf and Guava
> ---------------------------
>
> Key: HADOOP-19792
> URL: https://issues.apache.org/jira/browse/HADOOP-19792
> Project: Hadoop Common
> Issue Type: Task
> Components: common
> Affects Versions: 3.4.2
> Reporter: Shubham Kalloli
> Priority: Major
>
> Upgrading Protobuf and Guava
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
