[
https://issues.apache.org/jira/browse/RANGER-4038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17905391#comment-17905391
]
Himanshu Maurya commented on RANGER-4038:
-----------------------------------------
Hi [~avazquez] ,
Thank you so much for the hard work and dedication you’ve put into adapting
Ranger to use Spring 6. The updates you’ve made to various libraries, including
Java 17, Jakarta, and especially the Spring framework, are crucial steps
forward for the project. I am in with the workaround to create shaded jars
using the Apache Jakarta Migration Tool to resolve conflicts with Hadoop’s
transitive dependencies.
To facilitate a more thorough and efficient review process, we kindly ask if
you could address the following:
# Split your current pull request, which has 34 commits, into several
independent pull requests. This way, each PR can be focused on specific
updates, making the review process more manageable and systematic.
# Please note that there is another PR raised for JDK 17 support, please visit
this PR: [https://github.com/apache/ranger/pull/420] and review the comments
for further details.
# Please rebase your PR once all the checkstyle PRs are merged.
We truly believe this ambitious step will be a great opportunity for all of us
to push this change forward collaboratively.
> Upgrade spring framework and spring security versions
> -----------------------------------------------------
>
> Key: RANGER-4038
> URL: https://issues.apache.org/jira/browse/RANGER-4038
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Himanshu Maurya
> Assignee: Himanshu Maurya
> Priority: Major
>
> Pivotal Spring Framework up to (excluding) 6.0.0 suffers from a potential
> remote code execution (RCE) issue if used for Java deserialization of
> untrusted data. Depending on how the library is implemented within a product,
> this issue may or not occur, and authentication may be required.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
