[ https://issues.apache.org/jira/browse/HADOOP-17860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17623819#comment-17623819 ]
Steve Loughran commented on HADOOP-17860: ----------------------------------------- [~toopt4] please review HADOOP-18487 and the PR to update our shaded protobuf library https://github.com/apache/hadoop/pull/4418 we are an open source project which depends on contributions from the community. if we can get those two PRs in then the 3.3.5 release will be free of these issues. if we don't get the reviews and approval, then they will still be in there. *we need more than regular notifications of CVEs in dependencies in order to make those CVEs to go away* further reading: https://steveloughran.blogspot.com/2022/08/transitive-issues.html > Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities > #CVE-2015-5237, CVE-2019-15544, > ------------------------------------------------------------------------------------------------------ > > Key: HADOOP-17860 > URL: https://issues.apache.org/jira/browse/HADOOP-17860 > Project: Hadoop Common > Issue Type: Bug > Reporter: Sushanta Sen > Priority: Major > > Third party jar protobuf-java-2.5.0.jar reports vulnerabilities # > CVE-2015-5237, CVE-2019-15544 and need to be upgraded. > CVE-2019-15544: > Vulnerability Description:An issue was discovered in the protobuf crate > before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve > calls. > CVE-2015-5237: > Vulnerability Description:protobuf allows remote authenticated attackers to > cause a heap-based buffer overflow. > > Please review and let me know if you have any concerns or would like to add > more details to upgrade. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org