[ https://issues.apache.org/jira/browse/PHOENIX-7163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17806842#comment-17806842 ]
Istvan Toth edited comment on PHOENIX-7163 at 1/15/24 2:09 PM: --------------------------------------------------------------- We have two options: - Either we need to dependency-manage commons-text as well (which we do not use) - Or we need to use my original approach, and remove the commons-configuration2 direct dependency declaration, and rely on the transitive dependency from Hadoop, which will pick up the (potentially fixed) version from Hadoop. was (Author: stoty): We have two options: - Either we need to dependency-manage commons-text as well (which we do not use) - Or we need to use my original approach, and remove the commons-configuration direct dependency declaration, and rely on the transitive dependency from Hadoop, which will pick up the version from hadoop. > Update commons-configuration2 to 2.8.0 > -------------------------------------- > > Key: PHOENIX-7163 > URL: https://issues.apache.org/jira/browse/PHOENIX-7163 > Project: Phoenix > Issue Type: Bug > Components: core > Affects Versions: 5.2.0, 5.1.4 > Reporter: Istvan Toth > Assignee: Istvan Toth > Priority: Major > Fix For: 5.2.0, 5.1.4 > > > We are using commons-configurations2 for the Hadoop metrics code, because > that Hadoop API is badly broken. > Because of this, I have added dependency management for that dependency. > We are setting an old version, which is known to have CVEs. > -Remove the dependency managment so that we can pick up any possible future > fixes from Hadoop instead.- > Hadoop has updated to 2.8.0 without any code changes. > Since we only add this for the Hadoop API leak , we may update to 2.8.0 just > as well. > It is also not needed in hbase-server and hbase-mapreduce, as it is provided > by the expected Hadoop on the classpath. -- This message was sent by Atlassian Jira (v8.20.10#820010)