[ https://issues.apache.org/jira/browse/HADOOP-18646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17693961#comment-17693961 ]
ASF GitHub Bot commented on HADOOP-18646: ----------------------------------------- steveloughran commented on PR #5435: URL: https://github.com/apache/hadoop/pull/5435#issuecomment-1446129044 Right, I have just done the x86 RC this weekend and I am doing the arm64 one right now, and with a goal of putting the RC2 out for a vote buy about 17:00 UTC. Is the CVE something to which Hadoop is actually vulnerable to? Because we have lots of other issues and trying to keep every single transient jar up to date is a losing battle. If I hold off it will cost time and then something else will come up and I absolutely want to get this up for a vote by tomorrow. Also, last minute JAR updates are incredibly dangerous nobody will have any time to have tested the release for regressions. I am scared of them. I want to get this release out the way and then we can start worrying about what we do in a follow up in a few months time -which can absolutely take this update as it gives us the time to make sure this update works. So, please make the case for why this CVE should force the cancelling of the in-progress RC. Otherwise given all the other pressing issues we have to fix in this release I really want to say no. > Upgrade Netty to 4.1.89.Final > ----------------------------- > > Key: HADOOP-18646 > URL: https://issues.apache.org/jira/browse/HADOOP-18646 > Project: Hadoop Common > Issue Type: Improvement > Components: build > Affects Versions: 3.3.4 > Reporter: Aleksandr Nikolaev > Assignee: Aleksandr Nikolaev > Priority: Major > Labels: pull-request-available > > h4. Netty version - 4.1.89 has fix CVEs: > [CVE-2022-41881|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41881] > -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org