[
https://issues.apache.org/jira/browse/HADOOP-18079?focusedWorklogId=796154&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-796154
]
ASF GitHub Bot logged work on HADOOP-18079:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 28/Jul/22 17:56
Start Date: 28/Jul/22 17:56
Worklog Time Spent: 10m
Work Description: jojochuang commented on PR #4593:
URL: https://github.com/apache/hadoop/pull/4593#issuecomment-1198459811
It is my understanding that transitive dependencies should be included.
https://infra.apache.org/licensing-howto.html#deps-of-deps
Does it make sense to exclude transitive dependencies that are not used by
Hadoop's use of Netty? i'm not sure what it implies for downstream applications
that implicitly import Netty from Hadoop.
Issue Time Tracking
-------------------
Worklog Id: (was: 796154)
Time Spent: 5h 40m (was: 5.5h)
> Upgrade Netty to 4.1.77.Final
> -----------------------------
>
> Key: HADOOP-18079
> URL: https://issues.apache.org/jira/browse/HADOOP-18079
> Project: Hadoop Common
> Issue Type: Bug
> Components: build
> Affects Versions: 3.3.3
> Reporter: Renukaprasad C
> Assignee: Wei-Chiu Chuang
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0, 3.3.4, 3.2.5
>
> Time Spent: 5h 40m
> Remaining Estimate: 0h
>
> h4. Netty version - 4.1.71 has fix some CVEs.
> CVE-2019-20444,
> CVE-2019-20445
> CVE-2022-24823
> Upgrade to latest version.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
