[jira] [Updated] (PHOENIX-7393) Update transitive dependency of woodstox-core to 5.4.0

Wed, 28 Aug 2024 05:16:07 -0700 


     [ 
https://issues.apache.org/jira/browse/PHOENIX-7393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Grzegorz Kokosinski updated PHOENIX-7393:
-----------------------------------------
    Description: 
Exclude woodstox-core to fix [CVE-2022-40152 
(|https://github.com/advisories/GHSA-3f7h-mf4q-vrm4] 
[https://nvd.nist.gov/vuln/detail/CVE-2022-40152]).

This is a transitive dependency from hadoop, it is most likely not needed for 
phoenix. Notice that any product that is using {{phoenix-client-embedded}} to 
use Phoenix internally, is flagged with this CVEs

This is used in Trino phoenix connector. Then it makes entire Trino flagged 
with this CVE.

Update transitive dependency of woodstox-core to 5.4.0 fixes the issue.

  was:
Exclude woodstox-core to fix [CVE-2022-40152 
(|https://github.com/advisories/GHSA-3f7h-mf4q-vrm4] 
[https://nvd.nist.gov/vuln/detail/CVE-2022-40152]).

This is a transitive dependency from hadoop, it is most likely not needed for 
phoenix. Notice that any product that is using {{phoenix-client-embedded}} to 
use Phoenix internally, is flagged with this CVEs

This is used in Trino phoenix connector. Then it makes entire Trino flagged 
with this CVE.

Update transitive dependency of woodstox-core to 5.4.0


> Update transitive dependency of woodstox-core to 5.4.0
> ------------------------------------------------------
>
>                 Key: PHOENIX-7393
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-7393
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Grzegorz Kokosinski
>            Assignee: Grzegorz Kokosinski
>            Priority: Major
>
> Exclude woodstox-core to fix [CVE-2022-40152 
> (|https://github.com/advisories/GHSA-3f7h-mf4q-vrm4] 
> [https://nvd.nist.gov/vuln/detail/CVE-2022-40152]).
> This is a transitive dependency from hadoop, it is most likely not needed for 
> phoenix. Notice that any product that is using {{phoenix-client-embedded}} to 
> use Phoenix internally, is flagged with this CVEs
> This is used in Trino phoenix connector. Then it makes entire Trino flagged 
> with this CVE.
> Update transitive dependency of woodstox-core to 5.4.0 fixes the issue.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to