[
https://issues.apache.org/jira/browse/RANGER-4038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17950286#comment-17950286
]
Grzegorz Kokosinski commented on RANGER-4038:
---------------------------------------------
It looks like they have tried to migrate to jakarta in
[https://github.com/apache/hadoop/pull/7130/files,] but it got rejected
eventually.
Would it be possible that we could shade hadoop dependencies so they could use
javax and we could use jakarta? It is kind of difficult (snowball effect) if we
would like to update the entire dependency stack.
> Upgrade spring framework and spring security versions
> -----------------------------------------------------
>
> Key: RANGER-4038
> URL: https://issues.apache.org/jira/browse/RANGER-4038
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Himanshu Maurya
> Priority: Major
>
> Pivotal Spring Framework up to (excluding) 6.0.0 suffers from a potential
> remote code execution (RCE) issue if used for Java deserialization of
> untrusted data. Depending on how the library is implemented within a product,
> this issue may or not occur, and authentication may be required.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
