[HADOOP-18197] Update protobuf 3.7.1 to a version without CVE-2021-22569 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: thirdparty-1.2.0
Fix Version/s: thirdparty-1.2.0
Component/s: hadoop-thirdparty
Labels:
- pull-request-available
- security

Target Version/s:

thirdparty-1.2.0
Hadoop Flags:

Reviewed

Description

The artifact `org.apache.hadoop:hadoop-common` brings in a dependency `com.google.protobuf:protobuf-java:2.5.0`, which is an outdated version released in 2013 and it contains a vulnerability CVE-2021-22569.

Therefore, requesting you to clarify if this library version is going to be updated in the following releases

Attachments

Issue Links

duplicates

HADOOP-17860 Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237, CVE-2019-15544,

Open

is duplicated by

HADOOP-18848 Upgrade protobuf to 3.15.0 or newer

Open

is related to

HADOOP-19099 Add Protobuf Compatibility Notes

Resolved

HADOOP-19090 Update Protocol Buffers installation to 3.23.4

Resolved

links to

GitHub Pull Request #19

GitHub Pull Request #26

GitHub Pull Request #4418

(2 links to)

Activity

People

Assignee:: PJ Fanning

Reporter:: Ivan Viaznikov

Votes:: 0 Vote for this issue

Watchers:: 14 Start watching this issue

Dates

Created:: 11/Apr/22 10:12

Updated:: 21/May/24 19:23

Resolved:: 28/Jan/24 09:47

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2.5h