I did a search for AVRO security issues and found one for the .NET SDK at 1.10.2 and earlier. I am wondering if security scans are going to flag that even though it shouldn’t apply to Java code.
I also see CVE-2019-17195 which doesn’t make a lot of sense to me. It looks like a transitive dependency has an issue and somehow a CVE was created for AVRO because the dependency was used in a Docker image. That should not apply to Flume. I’ll try reverting the version and running another build. Ralph > On Aug 1, 2022, at 12:48 AM, Tristan Stevens <tris...@apache.org> wrote: > > Hi all, > Sean reported that the Twitter4j integration was failing last time, seemingly > because of an Avro bug. I suggest we roll Avro back to 1.7.7 for this release. > > Sean - grateful for your thoughts as to how important this is. > > Tristan > > Get Outlook for Android<https://aka.ms/AAb9ysg> > ________________________________ > From: Ralph Goers <ralph.go...@dslextreme.com> > Sent: Monday, August 1, 2022 1:16:15 AM > To: dev@flume.apache.org <dev@flume.apache.org> > Cc: priv...@flume.apache.org <priv...@flume.apache.org> > Subject: [VOTE] Release Apache Flume 1.10.1-RC1 > > This is a vote to release Flume 1.10.1, the next version of the Apache Flume > project. > > Please download, test, and cast your votes on the Flume developers list. > [] +1, release the artifacts > [] -1, don't release because... > > The vote will remain open for 72 hours. All votes are welcome and we > encourage everyone to test the release, but only Flume PMC votes are > “officially” counted. As always, at least 3 +1 votes and more positive than > negative votes are required. > > Changes in this release can be found at > https://flume.staged.apache.org/releases/1.10.1.html. > > Tag: > a) for a new copy do "git clone https://github.com/apache/flume.git and then > "git checkout tags/flume-1.10.1-rc1” or just "git clone -b lflume-1.10.1-rc1 > https://github.com/apache/flume.git" > b) for an existing working copy to “git pull” and then “git checkout > tags/flume-1.10.1-rc1” > > Web Site: https://flume.staged.apache.org/. > > Maven Artifacts: > https://repository.apache.org/content/repositories/orgapacheflume-1036. > > Distribution archives: https://dist.apache.org/repos/dist/dev/flume/ > > You may download all the Maven artifacts by executing: > wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate > https://repository.apache.org/content/repositories/orgapacheflume-1036/org/apache/flume/ > > Ralph