[ https://issues.apache.org/jira/browse/TEZ-3902?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Wohlstadter updated TEZ-3902: ---------------------------------- Comment: was deleted (was: [~jlowe] [~jeagles] Follow up info from Thurs. meeting: ---- Netty 3.6.2 has CVE vulnerabilities. None are listed for 3.10.5. [https://www.cvedetails.com/vulnerability-list/vendor_id-13290/product_id-27592/Netty-Project-Netty.html] ---- compile scope is including netty jar in the tez-dist artifacts: {{/pom.xml}} {code:java} <netty.version>3.6.2.Final</netty.version> ... <dependency> <groupId>io.netty</groupId> <artifactId>netty</artifactId> <scope>compile</scope> <version>${netty.version}</version> </dependency> {code} ) > Upgrade to netty-3.10.5.Final.jar > --------------------------------- > > Key: TEZ-3902 > URL: https://issues.apache.org/jira/browse/TEZ-3902 > Project: Apache Tez > Issue Type: Improvement > Reporter: Eric Wohlstadter > Assignee: Jonathan Eagles > Priority: Major > > Hadoop 3 and Hive have upgraded to netty-3.10.5.Final, which is not > compatible with current Tez dependency netty-3.6.2.Final. > > However, org.apache.tez.shufflehandler.ShuffleHandler depends on 3.6.2 > specific methods. -- This message was sent by Atlassian JIRA (v7.6.3#76005)