[
https://issues.apache.org/jira/browse/RANGER-4038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17907780#comment-17907780
]
Himanshu Maurya commented on RANGER-4038:
-----------------------------------------
Hi [~avazquez]
I hope you're doing well. As I'm relatively new to this, I don't have a clear
understanding of how we should split these updates into multiple PRs. But I
will provide some suggestions,
>From the list of steps you mentioned:
* Java 11 -> 17
* Javax -> Jakarta (Hadoop Shaded Jars Workaround can be in separate commit)
* Spring framework 5.7.12 -> 6.0.0
* Jersey 1.19 -> 3.0.16
* Tomcat embed 8.5.94 -> 10.1.31
* EclipseLink 2.7.12 -> 3.0.4
After analysis, It seems to me that we could create separate commits for the
following:
* Java 11 -> 17
* Javax -> Jakarta
* EclipseLink 2.7.12 -> 3.0.4
For the remaining updates (Spring, Jersey, and Tomcat), it might be best to
combine them into a single commit.
[~madhan] , Kindly help here with your guidance.
> Upgrade spring framework and spring security versions
> -----------------------------------------------------
>
> Key: RANGER-4038
> URL: https://issues.apache.org/jira/browse/RANGER-4038
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Himanshu Maurya
> Assignee: Himanshu Maurya
> Priority: Major
>
> Pivotal Spring Framework up to (excluding) 6.0.0 suffers from a potential
> remote code execution (RCE) issue if used for Java deserialization of
> untrusted data. Depending on how the library is implemented within a product,
> this issue may or not occur, and authentication may be required.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
