You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@bookkeeper.apache.org by ch...@apache.org on 2023/03/29 11:18:27 UTC

[bookkeeper] 03/03: upgrade hadoop version to 3.3.5 to resolve CVE-2019-10202 (#3896)

This is an automated email from the ASF dual-hosted git repository.

chenhang pushed a commit to branch branch-4.16
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git

commit c14d5523a33743e788a310f78df5f3ff22d8875f
Author: Hang Chen <ch...@apache.org>
AuthorDate: Wed Mar 29 17:42:05 2023 +0800

    upgrade hadoop version to 3.3.5 to resolve CVE-2019-10202 (#3896)
    
    ### Motivation
    There is a critical CVE-2019-10202 in `org.codehaus.jackson:jackson-mapper-asl`
    
    Detailed paths
    Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.4 › org.apache.avro:avro@1.7.7 › org.codehaus.jackson:jackson-mapper-asl@1.9.2
    Fix: No remediation path available.
    Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.4 › com.sun.jersey:jersey-json@1.19 › org.codehaus.jackson:jackson-mapper-asl@1.9.2
    Fix: No remediation path available.
    Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.4 › com.sun.jersey:jersey-json@1.19 › org.codehaus.jackson:jackson-jaxrs@1.9.2 › org.codehaus.jackson:jackson-mapper-asl@1.9.2
    Fix: No remediation path available.
    Introduced through: org.apache.distributedlog:dlfs@4.16.0-SNAPSHOT › org.apache.hadoop:hadoop-common@3.3.4 › com.sun.jersey:jersey-json@1.19 › org.codehaus.jackson:jackson-xc@1.9.2 › org.codehaus.jackson:jackson-mapper-asl@1.9.2
    Fix: No remediation path available.
    
    ### Changes
    Upgrade hadoop-common version from 3.3.4 to 3.3.5 to resolve this CVE
    
    (cherry picked from commit 0171a408e21a51eb74e18a07df1b0ea71b7638ff)
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 89918cce5c..b43f99371d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -135,7 +135,7 @@
     <grpc.version>1.47.0</grpc.version>
     <guava.version>31.0.1-jre</guava.version>
     <kerby.version>1.1.1</kerby.version>
-    <hadoop.version>3.3.4</hadoop.version>
+    <hadoop.version>3.3.5</hadoop.version>
     <hamcrest.version>1.3</hamcrest.version>
     <hdrhistogram.version>2.1.10</hdrhistogram.version>
     <jackson.version>2.13.4.20221013</jackson.version>