[jira] [Commented] (KUDU-3626) The dependency version of Thrift needs to be updated

Thu, 19 Dec 2024 13:15:59 -0800 


    [ 
https://issues.apache.org/jira/browse/KUDU-3626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17907196#comment-17907196
 ] 

ASF subversion and git services commented on KUDU-3626:
-------------------------------------------------------

Commit 45920136a8c17234912a94fb4080038f1f6af13e in kudu's branch 
refs/heads/branch-1.18.x from Abhishek Chennaka
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=45920136a ]

[thirdparty] KUDU-3626 update PostgreSQL and its JDBC driver

This addresses several CVEs[1] affecting current PostgresSQL
and PostgresSQL JDBC driver by upgrading them to versions
17.2 and 42.7.4 respectively.

[1]
CVE-2024-10979
CVE-2024-10978
CVE-2024-10977
CVE-2024-10976
CVE-2024-7348
CVE-2024-0985
CVE-2023-39417
CVE-2023-5870
CVE-2023-5869
CVE-2023-5868
CVE-2023-2455
CVE-2023-2454
CVE-2022-41862
CVE-2022-2625
CVE-2022-1552
CVE-2021-32029
CVE-2021-32028
CVE-2021-32027
CVE-2021-23222
CVE-2021-23214
CVE-2021-3677
CVE-2021-3393
CVE-2020-25696
CVE-2020-25695
CVE-2020-25694
CVE-2020-14350
CVE-2020-14349

Change-Id: I8693c0cecdc704f6ca1166af0fe14bc41256f629
Reviewed-on: http://gerrit.cloudera.org:8080/22170
Tested-by: Abhishek Chennaka <[email protected]>
Reviewed-by: Alexey Serbin <[email protected]>
(cherry picked from commit e4bfac1c297dd5473fd71025d1f469f2887b33d1)
Reviewed-on: http://gerrit.cloudera.org:8080/22241
Tested-by: Kudu Jenkins
Reviewed-by: Abhishek Chennaka <[email protected]>


> The dependency version of Thrift needs to be updated
> ----------------------------------------------------
>
>                 Key: KUDU-3626
>                 URL: https://issues.apache.org/jira/browse/KUDU-3626
>             Project: Kudu
>          Issue Type: Improvement
>            Reporter: Peter Lee
>            Priority: Major
>
> Hi dear Kudu team, thank you for your great work in Kudu.
> I noticed that Kudu is still depending on Thrift 0.11.0, which is affected by 
> some vulnerabilities, such as CVE-2018-1320, CVE-2019-0210, and 
> CVE-2019-0205. Maybe we could bump Thrift to a newer version without 
> vulnerabilities, like 0.20.0.
> Besides this, there are some other dependencies with vulnerabilities, like 
> Apache Hadoop, postgresql, protobuf, and yaml-cpp. It will be appreciated if 
> you can also bump their versions.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to