[ https://issues.apache.org/jira/browse/HADOOP-18197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17756952#comment-17756952 ]
ASF GitHub Bot commented on HADOOP-18197: ----------------------------------------- steveloughran commented on PR #4418: URL: https://github.com/apache/hadoop/pull/4418#issuecomment-1686463509 says 3.21.x... we should take the latest one we can which doesn't include other surprises...pr and jira can be set to the final version which goes in as it is merged > Update protobuf 3.7.1 to a version without CVE-2021-22569 > --------------------------------------------------------- > > Key: HADOOP-18197 > URL: https://issues.apache.org/jira/browse/HADOOP-18197 > Project: Hadoop Common > Issue Type: Improvement > Reporter: Ivan Viaznikov > Priority: Major > Labels: pull-request-available, security > Time Spent: 1.5h > Remaining Estimate: 0h > > The artifact `org.apache.hadoop:hadoop-common` brings in a dependency > `com.google.protobuf:protobuf-java:2.5.0`, which is an outdated version > released in 2013 and it contains a vulnerability > [CVE-2021-22569|https://nvd.nist.gov/vuln/detail/CVE-2021-22569]. > Therefore, requesting you to clarify if this library version is going to be > updated in the following releases -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org