[ https://issues.apache.org/jira/browse/HIVE-27691 ]
Dan Huff deleted comment on HIVE-27691:
---------------------------------
was (Author: JIRAUSER302219):
Previous attempt at an update
> Update Guava in hive to at least 32.0.1-jre to address CVE-2023-2976
> --------------------------------------------------------------------
>
> Key: HIVE-27691
> URL: https://issues.apache.org/jira/browse/HIVE-27691
> Project: Hive
> Issue Type: Bug
> Reporter: Dan Huff
> Priority: Major
>
> I was advised to open this directly as this isn't anything secret. Guava
> having various CVEs is a well-known issue within the Hive project
> This particular CVE is [https://nvd.nist.gov/vuln/detail/CVE-2023-2976]
> {quote}{color:#172b4d} Use of Java's default temporary directory for file
> creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on
> Unix systems and Android Ice Cream Sandwich allows other users and apps on
> the machine with access to the default Java temporary directory to be able to
> access the files created by the class. Even though the security vulnerability
> is fixed in version 32.0.0, we recommend using version 32.0.1 as version
> 32.0.0 breaks some functionality under Windows.{color}
> {quote}
> {color:#172b4d}I saw a number of uses of createTempDir in Hive so Hive may be
> vulnerable to this issue.{color}
> {color:#172b4d}Previous updates have been attempted but from the [comments in
> PRs|https://github.com/apache/hive/pull/4271#issuecomment-1525398100], it
> sounds like the update is likely to be a large project. {color}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
