It looks like this is a big deal. From what I can tell avro-ipc-netty was created in Avro 1.9.0. All the Netty stuff is in org.apache.avro.ipc.netty from that release on. Prior to that the Netty stuff was in the avro jar under org.apache.avro.ipc.
So to change to 1.7.7 the avro-ipc-netty (and probably avro-ipc-jetty) dependencies would have to be removed and everywhere the support is used it would have to be changed to reference the old package. But I not sure if there are other dependencies that require the newer dependencies. In short, I am not prepared to go down that rabbit hole. If we really want to support a twitter source then it should be upgraded to newer APIs as Sean had mentioned. Ralph > On Aug 1, 2022, at 8:23 AM, Ralph Goers <ralph.go...@dslextreme.com> wrote: > > I did a search for AVRO security issues and found one for the .NET SDK at > 1.10.2 and earlier. I am wondering if security scans are going to flag that > even though it shouldn’t apply to Java code. > > I also see CVE-2019-17195 which doesn’t make a lot of sense to me. It looks > like a transitive dependency has an issue and somehow a CVE was created for > AVRO because the dependency was used in a Docker image. That should not apply > to Flume. > > I’ll try reverting the version and running another build. > > Ralph > >> On Aug 1, 2022, at 12:48 AM, Tristan Stevens <tris...@apache.org> wrote: >> >> Hi all, >> Sean reported that the Twitter4j integration was failing last time, >> seemingly because of an Avro bug. I suggest we roll Avro back to 1.7.7 for >> this release. >> >> Sean - grateful for your thoughts as to how important this is. >> >> Tristan >> >> Get Outlook for Android<https://aka.ms/AAb9ysg> >> ________________________________ >> From: Ralph Goers <ralph.go...@dslextreme.com> >> Sent: Monday, August 1, 2022 1:16:15 AM >> To: dev@flume.apache.org <dev@flume.apache.org> >> Cc: priv...@flume.apache.org <priv...@flume.apache.org> >> Subject: [VOTE] Release Apache Flume 1.10.1-RC1 >> >> This is a vote to release Flume 1.10.1, the next version of the Apache Flume >> project. >> >> Please download, test, and cast your votes on the Flume developers list. >> [] +1, release the artifacts >> [] -1, don't release because... >> >> The vote will remain open for 72 hours. All votes are welcome and we >> encourage everyone to test the release, but only Flume PMC votes are >> “officially” counted. As always, at least 3 +1 votes and more positive than >> negative votes are required. >> >> Changes in this release can be found at >> https://flume.staged.apache.org/releases/1.10.1.html. >> >> Tag: >> a) for a new copy do "git clone https://github.com/apache/flume.git and then >> "git checkout tags/flume-1.10.1-rc1” or just "git clone -b lflume-1.10.1-rc1 >> https://github.com/apache/flume.git"; >> b) for an existing working copy to “git pull” and then “git checkout >> tags/flume-1.10.1-rc1” >> >> Web Site: https://flume.staged.apache.org/. >> >> Maven Artifacts: >> https://repository.apache.org/content/repositories/orgapacheflume-1036. >> >> Distribution archives: https://dist.apache.org/repos/dist/dev/flume/ >> >> You may download all the Maven artifacts by executing: >> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate >> https://repository.apache.org/content/repositories/orgapacheflume-1036/org/apache/flume/ >> >> Ralph >
