[
https://issues.apache.org/jira/browse/NIFI-11890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17749360#comment-17749360
]
Phil Lee commented on NIFI-11890:
---------------------------------
This is cloned from NIFI-11709 - Upgrade guava to 32.0.1-jre.
In /opt/nifi-toolkit/nifi-toolkit-1.23.0-bin.zip, inflating:
nifi-toolkit-1.23.0/lib/guava-31.1-jre.jar <-- this still shows 31.1-jre.jar is
included instead of 32.0.1-jre.
David Handermann [8 minutes
ago|https://apachenifi.slack.com/archives/C0L9VCD47/p1690838861024129?thread_ts=1690838270.993899&cid=C0L9VCD47]
Hi Philip, thanks for highlighting this issue. It sounds like what happened
there was that the backported commit did not cover a particular toolkit module,
because that module has been removed from the main branch.If you can write up a
Jira issue for the affected version, listing that path, we should be able to
upgrade the remaining Guava 31.1 references on the support branch.
> Upgrade guava to 32.0.1-jre for nifi-toolkit version 1.23.0
> -----------------------------------------------------------
>
> Key: NIFI-11890
> URL: https://issues.apache.org/jira/browse/NIFI-11890
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.23.0
> Reporter: Phil Lee
> Assignee: David Handermann
> Priority: Major
>
> Upgrade guava to 32.0.1-jre for nifi-toolkit version 1.23.0. Newest version
> mitigates
> [CVE-2023-2976|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976]
> in 32.0.0-jre
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
