[jira] [Updated] (TEZ-4403) Upgrade SLF4J version to 1.7.36

Syed Shameerur Rahman (Jira) Mon, 25 Apr 2022 04:11:05 -0700


     [ 
https://issues.apache.org/jira/browse/TEZ-4403?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Syed Shameerur Rahman updated TEZ-4403:
---------------------------------------
    Description: 
Currently we are on slf4j 1.7.30 
[https://github.com/apache/tez/blob/master/pom.xml#L65]. As per 
https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.30 , There are 
four CVE's against this version.
1. CVE-2022-23305
2. CVE-2022-23302
3. CVE-2021-4104
4. CVE-2019-17571

Upgrading to 1.7.36 
[https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.36] should 
solve the security concerns.

Reference
1. https://github.com/apache/tez/blob/master/pom.xml#L256
2. https://github.com/apache/tez/blob/master/pom.xml#L240


  was:
Currently we are on slf4j 1.7.30 
[https://github.com/apache/tez/blob/master/pom.xml#L65]. As per 
https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.30 , There are 
four CVE's against this version.
1. CVE-2022-23305
2. CVE-2022-23302
3. CVE-2021-4104
4. CVE-2019-17571

Upgrading to 1.7.34 
[https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.34] should 
solve the security concerns.

Reference
1. https://github.com/apache/tez/blob/master/pom.xml#L256
2. https://github.com/apache/tez/blob/master/pom.xml#L240



> Upgrade SLF4J version to 1.7.36
> -------------------------------
>
>                 Key: TEZ-4403
>                 URL: https://issues.apache.org/jira/browse/TEZ-4403
>             Project: Apache Tez
>          Issue Type: Improvement
>            Reporter: Syed Shameerur Rahman
>            Assignee: Syed Shameerur Rahman
>            Priority: Major
>             Fix For: 0.10.2
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> Currently we are on slf4j 1.7.30 
> [https://github.com/apache/tez/blob/master/pom.xml#L65]. As per 
> https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.30 , There are 
> four CVE's against this version.
> 1. CVE-2022-23305
> 2. CVE-2022-23302
> 3. CVE-2021-4104
> 4. CVE-2019-17571
> Upgrading to 1.7.36 
> [https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.36] should 
> solve the security concerns.
> Reference
> 1. https://github.com/apache/tez/blob/master/pom.xml#L256
> 2. https://github.com/apache/tez/blob/master/pom.xml#L240



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Updated] (TEZ-4403) Upgrade SLF4J version to 1.7.36

Reply via email to