[
https://issues.apache.org/jira/browse/KUDU-3493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17745946#comment-17745946
]
ASF subversion and git services commented on KUDU-3493:
-------------------------------------------------------
Commit 55eb667ae5debdd531b58d11139700a1a00b81d4 in kudu's branch
refs/heads/branch-1.17.x from Alexey Serbin
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=55eb667ae ]
KUDU-3493 upgrade Guava to 32.1.1-jre
This is to address CVE-2023-2976 in 30.1-jre [1].
An update on java/build.gradle is a workaround as suggested by the
Guava release notes [2] to allow for building with gradle 6.x.
An update on build-support/verify_jars.pl allows for ProGuard [3]
rule files to be in the result JARs: those appeared in the compiled
JAR files with the new Guava version.
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-2976
[2] https://github.com/google/guava/releases/tag/v32.1.0
[3] https://www.guardsquare.com/en/products/proguard
Change-Id: I4acf448085e2279be3ed8c77ccf3306494c6639c
Reviewed-on: http://gerrit.cloudera.org:8080/20235
Reviewed-by: Abhishek Chennaka <[email protected]>
Tested-by: Abhishek Chennaka <[email protected]>
Tested-by: Alexey Serbin <[email protected]>
(cherry picked from commit ab2f15d0dc168245d9e5adc631784f0f1be1c803)
Reviewed-on: http://gerrit.cloudera.org:8080/20239
Reviewed-by: Yingchun Lai <[email protected]>
Tested-by: Yingchun Lai <[email protected]>
> Guava CVE CVE-2023-2976
> -----------------------
>
> Key: KUDU-3493
> URL: https://issues.apache.org/jira/browse/KUDU-3493
> Project: Kudu
> Issue Type: Bug
> Affects Versions: 1.16.0
> Reporter: Colm O hEigeartaigh
> Priority: Major
> Fix For: 1.17.0, 1.16.1
>
>
> There is a CVE in Guava 30.1-jre CVE-2023-2976.
> Please update to e.g. 32.1.1-jre.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
