[
https://issues.apache.org/jira/browse/HADOOP-18197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17706870#comment-17706870
]
ASF GitHub Bot commented on HADOOP-18197:
-----------------------------------------
steveloughran commented on PR #4418:
URL: https://github.com/apache/hadoop/pull/4418#issuecomment-1490261364
@xizhu-mstr @tooptoop4 i'm not actively working on this; too many pressing
issues and after getting 3.3.5 out the door I'm catching up with the internal
stuff. Either of you two want to take it on?
I'd also like to get #4996 in; if anyone wants to run with that, I'd be very
happy. We shouldn't need protobuf 2.5 on the CP given we aren't using it
> Update protobuf 3.7.1 to a version without CVE-2021-22569
> ---------------------------------------------------------
>
> Key: HADOOP-18197
> URL: https://issues.apache.org/jira/browse/HADOOP-18197
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Ivan Viaznikov
> Priority: Major
> Labels: pull-request-available, security
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> The artifact `org.apache.hadoop:hadoop-common` brings in a dependency
> `com.google.protobuf:protobuf-java:2.5.0`, which is an outdated version
> released in 2013 and it contains a vulnerability
> [CVE-2021-22569|https://nvd.nist.gov/vuln/detail/CVE-2021-22569].
> Therefore, requesting you to clarify if this library version is going to be
> updated in the following releases
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
