[ https://issues.apache.org/jira/browse/HADOOP-18079?focusedWorklogId=796154&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-796154 ]
ASF GitHub Bot logged work on HADOOP-18079: ------------------------------------------- Author: ASF GitHub Bot Created on: 28/Jul/22 17:56 Start Date: 28/Jul/22 17:56 Worklog Time Spent: 10m Work Description: jojochuang commented on PR #4593: URL: https://github.com/apache/hadoop/pull/4593#issuecomment-1198459811 It is my understanding that transitive dependencies should be included. https://infra.apache.org/licensing-howto.html#deps-of-deps Does it make sense to exclude transitive dependencies that are not used by Hadoop's use of Netty? i'm not sure what it implies for downstream applications that implicitly import Netty from Hadoop. Issue Time Tracking ------------------- Worklog Id: (was: 796154) Time Spent: 5h 40m (was: 5.5h) > Upgrade Netty to 4.1.77.Final > ----------------------------- > > Key: HADOOP-18079 > URL: https://issues.apache.org/jira/browse/HADOOP-18079 > Project: Hadoop Common > Issue Type: Bug > Components: build > Affects Versions: 3.3.3 > Reporter: Renukaprasad C > Assignee: Wei-Chiu Chuang > Priority: Major > Labels: pull-request-available > Fix For: 3.4.0, 3.3.4, 3.2.5 > > Time Spent: 5h 40m > Remaining Estimate: 0h > > h4. Netty version - 4.1.71 has fix some CVEs. > CVE-2019-20444, > CVE-2019-20445 > CVE-2022-24823 > Upgrade to latest version. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org