You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avro.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/01/13 17:59:00 UTC
[jira] [Work logged] (AVRO-3304) avro-tools Update log4j dependency for critical vulnerability
[ https://issues.apache.org/jira/browse/AVRO-3304?focusedWorklogId=708541&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-708541 ]
ASF GitHub Bot logged work on AVRO-3304:
----------------------------------------
Author: ASF GitHub Bot
Created on: 13/Jan/22 17:58
Start Date: 13/Jan/22 17:58
Worklog Time Spent: 10m
Work Description: RyanSkraba opened a new pull request #1458:
URL: https://github.com/apache/avro/pull/1458
Before:
```
avrotool_snap tojson ./lang/java/mapred/target/test-classes/org/apache/avro/mapreduce/mapreduce-test-input.avro/part-r-00000.avro
22/01/13 18:47:32 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
{"name":"apple","count":3}
{"name":"banana","count":2}
{"name":"carrot","count":1}
```
After:
```
avrotool_snap tojson ./lang/java/mapred/target/test-classes/org/apache/avro/mapreduce/mapreduce-test-input.avro/part-r-00000.avro
[main] WARN org.apache.hadoop.util.NativeCodeLoader - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
{"name":"apple","count":3}
{"name":"banana","count":2}
{"name":"carrot","count":1}
```
### Jira
- [X] My PR addresses the following [Avro Jira](https://issues.apache.org/jira/browse/AVRO/) issues and references them in the PR title. For example, "AVRO-1234: My Avro PR"
- https://issues.apache.org/jira/browse/AVRO-3304
- In case you are adding a dependency, check if the license complies with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x).
### Tests
- [X] My PR adds the following unit tests __OR__ does not need testing for this extremely good reason: Manually verified the change:
### Commits
- [X] My commits all reference Jira issues in their subject lines. In addition, my commits follow the guidelines from "[How to write a good git commit message](https://chris.beams.io/posts/git-commit/)":
1. Subject is separated from body by a blank line
1. Subject is limited to 50 characters (not including Jira issue reference)
1. Subject does not end with a period
1. Subject uses the imperative mood ("add", not "adding")
1. Body wraps at 72 characters
1. Body explains "what" and "why", not "how"
### Documentation
- [ ] In case of new functionality, my PR adds documentation that describes how to use it.
- All the public functions and the classes in the PR contain Javadoc that explain what it does
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@avro.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 708541)
Remaining Estimate: 0h
Time Spent: 10m
> avro-tools Update log4j dependency for critical vulnerability
> -------------------------------------------------------------
>
> Key: AVRO-3304
> URL: https://issues.apache.org/jira/browse/AVRO-3304
> Project: Apache Avro
> Issue Type: Task
> Components: tools
> Affects Versions: 1.11.0
> Reporter: Daniel Nash
> Assignee: Ryan Skraba
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Our company security is having a fit because Nessus scans are triggering on the bundled log4j in the avro-tools.jar. Please update the log4j dependencies to the latest versions to remove the critical vulnerability present in the currently bundled log4j.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)