[
https://issues.apache.org/jira/browse/HIVE-28671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Simran Arora updated HIVE-28671:
--------------------------------
Description:
The current version of MySQL connector jar is 8.0.31, which has the following
vulnerabilities associated with it:
Direct vulnerabilities:
CVE-2023-22102
Vulnerabilities from dependencies:
CVE-2024-7254
CVE-2022-3510
CVE-2022-3509
CVE-2022-3171
So, this issue is to remedy this with the version upgrade as a fix.
[https://dev.mysql.com/doc/relnotes/connector-j/en/news-8-2-0.html]
*Mysql connector/J version 8.2.0* is the smallest upgrade that fixes the CVEs
and can be used against MySQL Server version *5.7* and later.
*Versions 8.3.0 and above* are compatible with mysql server versions *8.0* and
above, and since the *current version is 5.7.37* (at least as long as
[#5525|https://github.com/apache/hive/pull/5525] is not merged and upgrades it
to {*}8.4.3{*}) upgrading mysql connecter jar version to *8.2.0* instead of
*8.4.0* is the present solution.
was:
The current version of MySQL if 8.0.31, which has the following vulnerabilities
associated with it:
Direct vulnerabilities:
CVE-2023-22102
Vulnerabilities from dependencies:
CVE-2024-7254
CVE-2022-3510
CVE-2022-3509
CVE-2022-3171
So, this issue is to remedy this with the version upgrade as a fix.
[https://dev.mysql.com/doc/relnotes/connector-j/en/news-8-2-0.html]
*Mysql connector/J version 8.2.0* is the smallest upgrade that fixes the CVEs
and can be used against MySQL Server version *5.7* and later.
*Versions 8.3.0 and above* are compatible with mysql server versions *8.0* and
above, and since the {*}current version is 5.7.3{*}7 (at least as long as
[#5525|https://github.com/apache/hive/pull/5525] is not merged and upgrades it
to {*}8.4.3{*}) upgrading mysql connecter jar version to *8.2.0* instead of
*8.4.0* is the present solution.
> Upgrade MySQL connector jar version to 8.2.0
> --------------------------------------------
>
> Key: HIVE-28671
> URL: https://issues.apache.org/jira/browse/HIVE-28671
> Project: Hive
> Issue Type: Improvement
> Reporter: Simran Arora
> Assignee: Simran Arora
> Priority: Major
> Labels: pull-request-available
>
> The current version of MySQL connector jar is 8.0.31, which has the following
> vulnerabilities associated with it:
> Direct vulnerabilities:
> CVE-2023-22102
> Vulnerabilities from dependencies:
> CVE-2024-7254
> CVE-2022-3510
> CVE-2022-3509
> CVE-2022-3171
> So, this issue is to remedy this with the version upgrade as a fix.
> [https://dev.mysql.com/doc/relnotes/connector-j/en/news-8-2-0.html]
> *Mysql connector/J version 8.2.0* is the smallest upgrade that fixes the CVEs
> and can be used against MySQL Server version *5.7* and later.
> *Versions 8.3.0 and above* are compatible with mysql server versions *8.0*
> and above, and since the *current version is 5.7.37* (at least as long as
> [#5525|https://github.com/apache/hive/pull/5525] is not merged and upgrades
> it to {*}8.4.3{*}) upgrading mysql connecter jar version to *8.2.0* instead
> of *8.4.0* is the present solution.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
