[
https://issues.apache.org/jira/browse/IMPALA-12767?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17812511#comment-17812511
]
ASF subversion and git services commented on IMPALA-12767:
----------------------------------------------------------
Commit f8302d90369f2c0fd912963eb764063f4a9a41e2 in impala's branch
refs/heads/master from Riza Suminto
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=f8302d903 ]
IMPALA-12767: Upgrade Guava to 32.0.1 due to CVE-2023-2976
This patch upgrade Guava version from 31.1-jre to 32.0.1-jre to address
CVE-2023-2976.
Testing:
- Run and pass full build
./buildall.sh -skiptests -notests
Change-Id: Id932ed32200fba4f24b4fdd108546ac4494fc3e8
Reviewed-on: http://gerrit.cloudera.org:8080/20972
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-by: Joe McDonnell <[email protected]>
> Upgrade Guava to 32.0.1 due to CVE-2023-2976
> ---------------------------------------------
>
> Key: IMPALA-12767
> URL: https://issues.apache.org/jira/browse/IMPALA-12767
> Project: IMPALA
> Issue Type: Task
> Components: Frontend
> Reporter: Riza Suminto
> Assignee: Riza Suminto
> Priority: Critical
> Fix For: Impala 4.4.0
>
>
> {quote}Use of Java's default temporary directory for file creation in
> `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems
> and Android Ice Cream Sandwich allows other users and apps on the machine
> with access to the default Java temporary directory to be able to access the
> files created by the class. Even though the security vulnerability is fixed
> in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks
> some functionality under Windows.
> {quote}
> [https://nvd.nist.gov/vuln/detail/CVE-2023-2976]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
