[
https://issues.apache.org/jira/browse/CALCITE-5379?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17633369#comment-17633369
]
Julian Hyde commented on CALCITE-5379:
--------------------------------------
I would not mention the CVE in the summary. Probably not even in the
description. Committers understand that when components are upgraded there is
often a security reason, but it seems to me that including the CVE makes it a
bit easier for would-be attackers to find exploits.
If an upgrade is a one-line change, I don’t think a Jira case is needed. But
state the “from” version in the commit message, so people can easily find
wether a particular CVE was fixed.
Since you are a committer, I’d be happy if you make those changes without even
a +1. That is, use a commit-then-review (CTR) protocol.
> Upgrade protobuf version to 3.21.9 because of CVE
> -------------------------------------------------
>
> Key: CALCITE-5379
> URL: https://issues.apache.org/jira/browse/CALCITE-5379
> Project: Calcite
> Issue Type: Improvement
> Components: avatica
> Affects Versions: avatica-1.22.0
> Reporter: Sergey Nuyanzin
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> There is a CVE in current version
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171
> fixed in 3.21.7
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
