[
https://issues.apache.org/jira/browse/HIVE-28671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Simran Arora updated HIVE-28671:
--------------------------------
Description:
The current version of MySQL if 8.0.31, which has the following vulnerabilities
associated with it:
Direct vulnerabilities:
CVE-2023-22102
Vulnerabilities from dependencies:
CVE-2024-7254
CVE-2022-3510
CVE-2022-3509
CVE-2022-3171
So, this issue is to remedy this with the version upgrade as a fix.
[https://dev.mysql.com/doc/relnotes/connector-j/en/news-8-2-0.html]
*Mysql connector/J version 8.2.0* is the smallest upgrade that fixes the CVEs
and can be used against MySQL Server version *5.7* and later.
*Versions 8.3.0 and above* are compatible with mysql server versions *8.0* and
above, and since the {*}current version is 5.7.3{*}7 (at least as long as
[#5525|https://github.com/apache/hive/pull/5525] is not merged and upgrades it
to {*}8.4.3{*}) upgrading mysql connecter jar version to *8.2.0* instead of
*8.4.0* is the present solution.
was:
The current version of MySQL if 8.0.31, which has the following vulnerabilities
associated with it:
Direct vulnerabilities:
CVE-2023-22102
Vulnerabilities from dependencies:
CVE-2024-7254
CVE-2022-3510
CVE-2022-3509
CVE-2022-3171
So, this issue is to remedy this with the version upgrade as a fix.
[https://dev.mysql.com/doc/relnotes/connector-j/en/news-8-2-0.html]
Version 8.2.0 is the smallest upgrade that fixes the CVEs and can be used
against MySQL Server version 5.7 and later.
Versions 8.3.0 and above are compatible with mysql server versions 8.0 and
above, and since the current version is 5.7.37 (at least as long as
[#5525|https://github.com/apache/hive/pull/5525] is not merged and upgrades it
to 8.4.3) upgrading mysql connecter jar version to 8.2.0 instead of 8.4.0 is
the present solution.
> Upgrade MySQL connector jar version to 8.2.0
> --------------------------------------------
>
> Key: HIVE-28671
> URL: https://issues.apache.org/jira/browse/HIVE-28671
> Project: Hive
> Issue Type: Improvement
> Reporter: Simran Arora
> Assignee: Simran Arora
> Priority: Major
> Labels: pull-request-available
>
> The current version of MySQL if 8.0.31, which has the following
> vulnerabilities associated with it:
> Direct vulnerabilities:
> CVE-2023-22102
> Vulnerabilities from dependencies:
> CVE-2024-7254
> CVE-2022-3510
> CVE-2022-3509
> CVE-2022-3171
> So, this issue is to remedy this with the version upgrade as a fix.
> [https://dev.mysql.com/doc/relnotes/connector-j/en/news-8-2-0.html]
> *Mysql connector/J version 8.2.0* is the smallest upgrade that fixes the CVEs
> and can be used against MySQL Server version *5.7* and later.
> *Versions 8.3.0 and above* are compatible with mysql server versions *8.0*
> and above, and since the {*}current version is 5.7.3{*}7 (at least as long as
> [#5525|https://github.com/apache/hive/pull/5525] is not merged and upgrades
> it to {*}8.4.3{*}) upgrading mysql connecter jar version to *8.2.0* instead
> of *8.4.0* is the present solution.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
