Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
thirdparty-1.2.0
-
Reviewed
Description
The artifact `org.apache.hadoop:hadoop-common` brings in a dependency `com.google.protobuf:protobuf-java:2.5.0`, which is an outdated version released in 2013 and it contains a vulnerability CVE-2021-22569.
Therefore, requesting you to clarify if this library version is going to be updated in the following releases
Attachments
Issue Links
- duplicates
-
HADOOP-17860 Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237, CVE-2019-15544,
- Open
- is duplicated by
-
HADOOP-18848 Upgrade protobuf to 3.15.0 or newer
- Open
- is related to
-
HADOOP-19099 Add Protobuf Compatibility Notes
- Resolved
-
HADOOP-19090 Update Protocol Buffers installation to 3.23.4
- Resolved
- links to