[jira] [Updated] (PHOENIX-7393) Update transitive dependency of woodstox-core to 5.4.0

Viraj Jasani (Jira) Thu, 29 Aug 2024 08:51:16 -0700


     [ 
https://issues.apache.org/jira/browse/PHOENIX-7393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Viraj Jasani updated PHOENIX-7393:
----------------------------------
    Fix Version/s: 5.2.1
                   5.3.0
                   5.1.4

> Update transitive dependency of woodstox-core to 5.4.0
> ------------------------------------------------------
>
>                 Key: PHOENIX-7393
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-7393
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Grzegorz Kokosinski
>            Assignee: Grzegorz Kokosinski
>            Priority: Major
>             Fix For: 5.2.1, 5.3.0, 5.1.4
>
>
> Exclude woodstox-core to fix [CVE-2022-40152 
> (|https://github.com/advisories/GHSA-3f7h-mf4q-vrm4] 
> [https://nvd.nist.gov/vuln/detail/CVE-2022-40152]).
> This is a transitive dependency from hadoop, it is most likely not needed for 
> phoenix. Notice that any product that is using {{phoenix-client-embedded}} to 
> use Phoenix internally, is flagged with this CVEs
> This is used in Trino phoenix connector. Then it makes entire Trino flagged 
> with this CVE.
> Update transitive dependency of woodstox-core to 5.4.0 fixes the issue.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (PHOENIX-7393) Update transitive dependency of woodstox-core to 5.4.0

Reply via email to