Michael Smith has posted comments on this change. ( http://gerrit.cloudera.org:8080/24301 )
Change subject: IMPALA-14989: Upgrade log4j-core to 2.25.3 due to CVE-2025-68161 ...................................................................... Patch Set 3: Code-Review-1 (1 comment) http://gerrit.cloudera.org:8080/#/c/24301/3/fe/pom.xml File fe/pom.xml: http://gerrit.cloudera.org:8080/#/c/24301/3/fe/pom.xml@857 PS3, Line 857: <exclude>org.apache.logging.log4j:log4j-web</exclude> I don't think this is doing what you think. log4j-web is a dependency of hive-common, which is pulled in by hive-jdbc. You'd need to add an <excludes> block where hive-jdbc is included, and possibly other places. To verify that we only have exact versions of specific log4j 2 components, you'd add here <exclude>org.apache.logging.log4j:*</exclude> and below <include>org.apache.logging.log4j:log4j-core:${log4j.version}</include> <include>org.apache.logging.log4j:log4j-api:${log4j.version}</include> -- To view, visit http://gerrit.cloudera.org:8080/24301 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Icdf7357dbf7edbb60cb3374094f210cbfeea2744 Gerrit-Change-Number: 24301 Gerrit-PatchSet: 3 Gerrit-Owner: Pranav Lodha <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Michael Smith <[email protected]> Gerrit-Reviewer: Pranav Lodha <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Comment-Date: Thu, 14 May 2026 20:11:50 +0000 Gerrit-HasComments: Yes
