Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/23370 )
Change subject: [java] Upgrade slf4j dependency to 2.0.13 ...................................................................... Patch Set 1: (1 comment) http://gerrit.cloudera.org:8080/#/c/23370/1//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/23370/1//COMMIT_MSG@9 PS1, Line 9: org.slf4j:slf4j-api dependency due to CVE-2018-8088 AFAIK, only EventData class from slf4j-ext is affected by CVE-2018-8088, and Kudu doesn't use any piece of slf4j-ext, so this CVE isn't quite applicable here, IIUC. It's well known that CVE-2018-8088 was initially scoped too broad, and that led to a lot of confusion and false positives back in 2018. Also, even if updating the slf4j package, why not to update to the latest available version in the 1.x line (e.g., 1.7.36)? Changing the major version of the package often comes with increased risk of compatibility issues: I don't know whether any exists as of now in the context of Kudu's Java components, but I'm curious what was the reason behind switching to the 2.x line when addressing a security issue in slf4j-ext that's also addressed for that package in the 1.x line? -- To view, visit http://gerrit.cloudera.org:8080/23370 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I58a4fc3615c7dbb8d10393bbc536d77dfaf68e47 Gerrit-Change-Number: 23370 Gerrit-PatchSet: 1 Gerrit-Owner: Zoltan Chovan <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Thu, 04 Sep 2025 19:15:09 +0000 Gerrit-HasComments: Yes
