You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@bigtop.apache.org by "Kengo Seki (Jira)" <ji...@apache.org> on 2022/04/25 13:10:00 UTC

[jira] [Resolved] (BIGTOP-3671) Add a patch for CVE-2021-22569 to bigtop_toolchain

     [ https://issues.apache.org/jira/browse/BIGTOP-3671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kengo Seki resolved BIGTOP-3671.
--------------------------------
    Fix Version/s: 3.1.0
       Resolution: Fixed

> Add a patch for CVE-2021-22569 to bigtop_toolchain
> --------------------------------------------------
>
>                 Key: BIGTOP-3671
>                 URL: https://issues.apache.org/jira/browse/BIGTOP-3671
>             Project: Bigtop
>          Issue Type: Bug
>          Components: toolchain
>            Reporter: Masatake Iwasaki
>            Assignee: Masatake Iwasaki
>            Priority: Major
>             Fix For: 3.1.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> [PR#9371 of protobuf|https://github.com/protocolbuffers/protobuf/pull/9371] is the fix for vulnerability of protobuf-java. [~apurtell] provided us a backported patch for protobuf-2.5.0. Users can locally install patched protobuf-java from the source code set up by bigtop_toolchain (under /usr/src/protobuf-2.5.0/java) for their own build.
> Using patched protobuf-java for packaging is out of the scope of this issue. We are using only protoc and protobuf-java is pulled from public Maven repos now. It may be addressed in follow-up JIRAs.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)