HADOOP-18843. Guava version 32.0.1 bump to fix CVE-2023-2976 #23
Conversation
fredbalves86
changed the title
fredbalves86
changed the title
|
@jojochuang Can this be done? This is the only dependency of hadoop-common that still has guava 31.1-jre |
jojochuang
changed the title
There was a problem hiding this comment.
Can you also update the version in LICENSE-binary?
Created a jira to track this task.
This is the list of dependencies after the change:
[INFO] org.apache.hadoop.thirdparty:hadoop-shaded-guava:jar:1.2.0-SNAPSHOT
[INFO] - com.google.guava:guava:jar:32.0.1-jre:compile
[INFO] +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] +- org.checkerframework:checker-qual:jar:3.33.0:compile
[INFO] +- com.google.errorprone:error_prone_annotations:jar:2.18.0:compile
[INFO] - com.google.j2objc:j2objc-annotations:jar:2.8:compile
|
We'd also need to release a new hadoop-thirdparty version so the main hadoop repo can use. |
|
@jojochuang Done. |
|
Hi @jojochuang @fredbalves86, will this be available in a new release soon out of curiosity? |
@Killianoc no schedule |
|
@jojochuang any ETA on this? |
|
Is there any movement here? |
|
Is is getting merged anytime soon ? |
|
I've hit the approve and run button to see what the ci builds say. if things are good I'll merge |
Any chance you could merge this soon. Got a CVE reporting against hadoop-shaded-guava. |
@steveloughran any chance of this being merger and new version released soon? |
|
ok, let's merge @fredbalves86 what name do you want to use for credit in the commit message? |
You can use Frederico Alves I don't have an apache jira account |
|
done. mukund has been looking at doing a new 3.3.x release...we should get this out first |
|
@steveloughran when will mvn repo be updated with the new jar? |
|
new release is out; 3.4.0 RC2 will ship it! |
Bumping guava version to 32.0.1-jre to fix CVE-2023-2976