You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@bigtop.apache.org by "Kengo Seki (Jira)" <ji...@apache.org> on 2022/04/25 13:10:00 UTC
[jira] [Resolved] (BIGTOP-3671) Add a patch for CVE-2021-22569 to bigtop_toolchain
[ https://issues.apache.org/jira/browse/BIGTOP-3671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kengo Seki resolved BIGTOP-3671.
--------------------------------
Fix Version/s: 3.1.0
Resolution: Fixed
> Add a patch for CVE-2021-22569 to bigtop_toolchain
> --------------------------------------------------
>
> Key: BIGTOP-3671
> URL: https://issues.apache.org/jira/browse/BIGTOP-3671
> Project: Bigtop
> Issue Type: Bug
> Components: toolchain
> Reporter: Masatake Iwasaki
> Assignee: Masatake Iwasaki
> Priority: Major
> Fix For: 3.1.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> [PR#9371 of protobuf|https://github.com/protocolbuffers/protobuf/pull/9371] is the fix for vulnerability of protobuf-java. [~apurtell] provided us a backported patch for protobuf-2.5.0. Users can locally install patched protobuf-java from the source code set up by bigtop_toolchain (under /usr/src/protobuf-2.5.0/java) for their own build.
> Using patched protobuf-java for packaging is out of the scope of this issue. We are using only protoc and protobuf-java is pulled from public Maven repos now. It may be addressed in follow-up JIRAs.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)