HADOOP-18197. Upgrade Protobuf-Java to 3.21.12 (#26)

This patch bumps up the protobuf version so that Hadoop is not a vulnerable to CVE-2021-22569. This does rename the module hadoop-shaded-protobuf_3_7 because that significantly complicates imports/upgrading. This also fixes up the parent POM references in the child modules as IntelliJ requires a full path. Contributed by PJ Fanning
apache · Jan 11, 2024 · df92347 · df92347
1 parent 52c38fe
commit df92347
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 10 deletions.
diff --git a/LICENSE-binary b/LICENSE-binary
@@ -218,7 +218,7 @@ See licenses-binary/ for text of these licenses.
 
 BSD 3-Clause
 ------------
-com.google.protobuf:protobuf-java:3.7.1
+com.google.protobuf:protobuf-java:3.21.12
 
 
 MIT License

diff --git a/hadoop-shaded-guava/pom.xml b/hadoop-shaded-guava/pom.xml
@@ -24,7 +24,7 @@
         <artifactId>hadoop-thirdparty</artifactId>
         <groupId>org.apache.hadoop.thirdparty</groupId>
         <version>1.2.0-SNAPSHOT</version>
-        <relativePath>..</relativePath>
+        <relativePath>../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>hadoop-shaded-guava</artifactId>

diff --git a/hadoop-shaded-protobuf_3_7/pom.xml → hadoop-shaded-protobuf_3_21/pom.xml b/hadoop-shaded-protobuf_3_7/pom.xml → hadoop-shaded-protobuf_3_21/pom.xml
@@ -24,11 +24,11 @@
     <artifactId>hadoop-thirdparty</artifactId>
     <groupId>org.apache.hadoop.thirdparty</groupId>
     <version>1.2.0-SNAPSHOT</version>
-    <relativePath>..</relativePath>
+    <relativePath>../pom.xml</relativePath>
   </parent>
   <modelVersion>4.0.0</modelVersion>
-  <artifactId>hadoop-shaded-protobuf_3_7</artifactId>
-  <name>Apache Hadoop shaded Protobuf 3.7</name>
+  <artifactId>hadoop-shaded-protobuf_3_21</artifactId>
+  <name>Apache Hadoop shaded Protobuf</name>
   <packaging>jar</packaging>
 
   <properties>
@@ -38,7 +38,7 @@
     <dependency>
       <groupId>com.google.protobuf</groupId>
       <artifactId>protobuf-java</artifactId>
-      <version>${protobuf_3_7.version}</version>
+      <version>${protobuf_3.version}</version>
     </dependency>
   </dependencies>
 

diff --git a/pom.xml b/pom.xml
@@ -94,7 +94,7 @@
     <!--thirdparty dependency versions-->
     <shaded.prefix>org.apache.hadoop.thirdparty</shaded.prefix>
     <protobuf.shade.prefix>${shaded.prefix}.protobuf</protobuf.shade.prefix>
-    <protobuf_3_7.version>3.7.1</protobuf_3_7.version>
+    <protobuf_3.version>3.21.12</protobuf_3.version>
     <guava.version>32.0.1-jre</guava.version>
     <avro.version>1.11.3</avro.version>
 
@@ -123,7 +123,7 @@
   </organization>
 
   <modules>
-    <module>hadoop-shaded-protobuf_3_7</module>
+    <module>hadoop-shaded-protobuf_3_21</module>
     <module>hadoop-shaded-guava</module>
     <module>hadoop-shaded-avro_1_11</module>
   </modules>

diff --git a/src/site/markdown/index.md.vm b/src/site/markdown/index.md.vm
@@ -42,9 +42,9 @@ This page provides an overview of the major changes.
 
 Protobuf-java
 -------------
-Google Protobuf's 3.7.1 jar is available as *org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_7* artifact.
+Google Protobuf's 3.21.12 jar is available as *org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_21* artifact.
 
-Following are relocations under *hadoop-shaded-protobuf_3_7* artifact:
+Following are relocations under *hadoop-shaded-protobuf_3_21* artifact:
 
 |Original package | Shaded package |
 |---|---|