[ https://issues.apache.org/jira/browse/HADOOP-18197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17520557#comment-17520557 ]
Steve Loughran commented on HADOOP-18197: ----------------------------------------- [~ivan.viaznikov] HADOOP-16557 upgraded our internal binaries to compile against 3.7.1, as we shade the classes we can update/upgrade without the risk of breaking every other app. we do still ship the old jar, which is something we can revisit. we will need to update our own protobuf version though > Update protobuf 3.7.1 to a version without CVE-2021-22569 > --------------------------------------------------------- > > Key: HADOOP-18197 > URL: https://issues.apache.org/jira/browse/HADOOP-18197 > Project: Hadoop Common > Issue Type: Improvement > Reporter: Ivan Viaznikov > Priority: Major > Labels: security > > The artifact `org.apache.hadoop:hadoop-common` brings in a dependency > `com.google.protobuf:protobuf-java:2.5.0`, which is an outdated version > released in 2013 and it contains a vulnerability > [CVE-2021-22569|https://nvd.nist.gov/vuln/detail/CVE-2021-22569]. > Therefore, requesting you to clarify if this library version is going to be > updated in the following releases -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org