[jira] [Commented] (HADOOP-18197) Update protobuf 3.7.1 to a version without CVE-2021-22569

Tue, 09 Aug 2022 04:42:08 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577362#comment-17577362
 ] 

Steve Loughran commented on HADOOP-18197:
-----------------------------------------

that unshaded protobuf 2.5 has primarily been there to stop breaking other 
things. We could cut it and say "if you really need this here it is but really 
you should rebuild with your own version of Protobuf."

Internally, we need a new version of that shaded library. I don't believe that 
putting a new version into our shaded lib with the same class names is the 
right thing to do. Instead I think we need a new shaded protobuf release with a 
different package name, and all our code rebuilt to link against that version.

As for the shaded 3.7.1 package -we can cut it. If we have made any guarantees 
to maintain it (Have we?) Then we could release it as a self-contained Library 
which we don't include in our package, or we somehow get it into the at jar. 
Though that is implicitly committing to including not just it but all later 
Proto both versions which we release. Just upgrading our own package and saying 
"let's release this and rebuild Hadoop 3.3.9+ against it" would be the easiest.

# I want to fork the next 3.3.x release off branch-3.3 by the end of the month.
# I am not in a position to personally do the migration. If anyone else can put 
in the time it would be wonderful.

> Update protobuf 3.7.1 to a version without CVE-2021-22569
> ---------------------------------------------------------
>
>                 Key: HADOOP-18197
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18197
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Ivan Viaznikov
>            Priority: Major
>              Labels: pull-request-available, security
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> The artifact `org.apache.hadoop:hadoop-common` brings in a dependency 
> `com.google.protobuf:protobuf-java:2.5.0`, which is an outdated version 
> released in 2013 and it contains a vulnerability 
> [CVE-2021-22569|https://nvd.nist.gov/vuln/detail/CVE-2021-22569].
> Therefore, requesting you to clarify if this library version is going to be 
> updated in the following releases



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to