[
https://issues.apache.org/jira/browse/HIVE-28671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shohei Okumiya resolved HIVE-28671.
-----------------------------------
Resolution: Fixed
Merged it into master. Thanks [~arorasimran0309] for submitting the patch and
[~ayushsaxena] for reviewing it!
> Upgrade MySQL connector jar version to 8.2.0
> --------------------------------------------
>
> Key: HIVE-28671
> URL: https://issues.apache.org/jira/browse/HIVE-28671
> Project: Hive
> Issue Type: Improvement
> Affects Versions: 4.0.1
> Reporter: Simran Arora
> Assignee: Simran Arora
> Priority: Major
> Labels: pull-request-available
> Fix For: 4.1.0
>
>
> The current version of MySQL connector jar is 8.0.31, which has the following
> vulnerabilities associated with it:
> Direct vulnerabilities:
> CVE-2023-22102
> Vulnerabilities from dependencies:
> CVE-2024-7254
> CVE-2022-3510
> CVE-2022-3509
> CVE-2022-3171
> So, this issue is to remedy this with the version upgrade as a fix.
> [https://dev.mysql.com/doc/relnotes/connector-j/en/news-8-2-0.html]
> *Mysql connector/J version 8.2.0* is the smallest upgrade that fixes the CVEs
> and can be used against MySQL Server version *5.7* and later.
> *Versions 8.3.0 and above* are compatible with mysql server versions *8.0*
> and above, and since the *current version is 5.7.37* (at least as long as
> [#5525|https://github.com/apache/hive/pull/5525] is not merged and upgrades
> it to {*}8.4.3{*}) upgrading mysql connecter jar version to *8.2.0* instead
> of *8.4.0* is the present solution.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
