tanishqchugh created HIVE-28866:
-----------------------------------
Summary: Upgrade netty-codec-http to fix CVE-2024-29025
Key: HIVE-28866
URL: https://issues.apache.org/jira/browse/HIVE-28866
Project: Hive
Issue Type: Improvement
Reporter: tanishqchugh
Assignee: tanishqchugh
Netty was upgraded to 4.1.116.Final as part of HIVE-28040 but with recent
changes, we see an occurrence of compile time transitive dependency of
netty-codec-http 4.1.100.Final in Hive Metastore REST Catalog
{code:java}
[INFO] +- org.apache.hadoop:hadoop-hdfs:jar:3.4.1:compile
[INFO] | +- commons-daemon:commons-daemon:jar:1.0.13:compile
[INFO] | +- io.netty:netty-all:jar:4.1.100.Final:compile
[INFO] | | +- io.netty:netty-codec-dns:jar:4.1.100.Final:compile
[INFO] | | +- io.netty:netty-codec-haproxy:jar:4.1.100.Final:compile
[INFO] | | +- io.netty:netty-codec-http:jar:4.1.100.Final:compile{code}
Add netty configs in dependencyManagement of standalone metastore to fix the
same.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
