[jira] [Updated] (HIVE-28438) Remove commons-pool2 as an explicit dependency & upgrade commons-dbcp2 to 2.12.0

Sat, 10 Aug 2024 09:54:16 -0700 


     [ 
https://issues.apache.org/jira/browse/HIVE-28438?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

tanishqchugh updated HIVE-28438:
--------------------------------
    Description: 
In the master branch, currently we are using commons-dbcp2 v2.9.0 which is 
affected by following CVEs:
[CVE-2022-45868|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45868]
[CVE-2022-23221|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221]
[CVE-2021-42392|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392]
[CVE-2021-23463|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463]

commons-pool2 is not a direct dependency to hive and is only required by 
commons-dbcp2 as a compile time dependency which comes in transitively with 
commons-dbcp2 itself. Thus, removing commons-pool2 which is currently listed as 
an explicit dependency.

  was:
In the master branch, currently we are using commons-dbcp2 v2.9.0 which is 
affected by following CVEs:
[CVE-2022-45868|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45868]
[CVE-2022-23221|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221]
[CVE-2021-42392|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392]
[CVE-2021-23463|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463]

Also, there are two different versions (2.10.0 & 2.11.1) of commons-pool2 
across project as commons-dbcp2 v2.9.0 requires commons-pool2 v2.10.0 as a 
compile time dependency. 
Upgrading both of the dependencies to v2.12.0 to resolve the CVEs as well as 
make commons-pool2 version consistent across project to prevent any kind of 
potential conflicts.


> Remove commons-pool2 as an explicit dependency & upgrade commons-dbcp2 to 
> 2.12.0
> --------------------------------------------------------------------------------
>
>                 Key: HIVE-28438
>                 URL: https://issues.apache.org/jira/browse/HIVE-28438
>             Project: Hive
>          Issue Type: Improvement
>            Reporter: tanishqchugh
>            Assignee: tanishqchugh
>            Priority: Major
>              Labels: pull-request-available
>
> In the master branch, currently we are using commons-dbcp2 v2.9.0 which is 
> affected by following CVEs:
> [CVE-2022-45868|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45868]
> [CVE-2022-23221|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221]
> [CVE-2021-42392|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392]
> [CVE-2021-23463|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463]
> commons-pool2 is not a direct dependency to hive and is only required by 
> commons-dbcp2 as a compile time dependency which comes in transitively with 
> commons-dbcp2 itself. Thus, removing commons-pool2 which is currently listed 
> as an explicit dependency.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to