-
Notifications
You must be signed in to change notification settings - Fork 8.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HADOOP-18197. Upgrade protobuf to 3.21.x through upgraded hadoop-shaded-protobuf jar) #4418
base: trunk
Are you sure you want to change the base?
HADOOP-18197. Upgrade protobuf to 3.21.x through upgraded hadoop-shaded-protobuf jar) #4418
Conversation
💔 -1 overall
This message was automatically generated. |
9245560
to
d272048
Compare
💔 -1 overall
This message was automatically generated. |
This patch bumps up the protobuf version so that Hadoop is not a vulnerable to CVE-2021-22569. Depends on a version of hadoop-shaded-protobuf_3_7 with the update; this PR does this by depending on 1.2.0-SNAPSHOT...this is only going to work for local builds Change-Id: Id280936f7a19d6730a8267299741eb4bac65aaa2
Change-Id: Icc92767db4e0feafe8000d9aac8e77984562eb9e
d272048
to
4f05bf4
Compare
💔 -1 overall
This message was automatically generated. |
<protoc.path>${env.HADOOP_PROTOC_PATH}</protoc.path> | ||
|
||
<hadoop-thirdparty.version>1.1.1</hadoop-thirdparty.version> | ||
<hadoop-thirdparty.version>1.2.0-SNAPSHOT</hadoop-thirdparty.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reminder
* Protocol Buffers 3.21.1 (required to compile native code) | ||
$ wget https://github.com/protocolbuffers/protobuf/releases/download/v3.21.1/protobuf-java-3.21.1.tar.gz | ||
$ mkdir -p protobuf-3.21 && tar zxvf protobuf-java-3.21.1.tar.gz --strip-components 1 -C protobuf-3.21 | ||
$ cd protobuf-3.721 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo. Should be protobuf-3.21
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah
@xizhu-mstr @tooptoop4 i'm not actively working on this; too many pressing issues and after getting 3.3.5 out the door I'm catching up with the internal stuff. Either of you two want to take it on? I'd also like to get #4996 in; if anyone wants to run with that, I'd be very happy. We shouldn't need protobuf 2.5 on the CP given we aren't using it |
@steveloughran - is this a genuine CVE in |
usual ongoing protobuf issues; AFAIK none of them lethal. YMMV I do want #4996 in so we can get protobuf 2.5 off the classpath. if you could take that up, it'd be good. that PR doesn't cut it, only make it optional. a followup would cut it. |
@steveloughran |
says 3.21.x... we should take the latest one we can which doesn't include other surprises...pr and jira can be set to the final version which goes in as it is merged |
Description of PR
This patch bumps up the protobuf version so that Hadoop
is not a vulnerable to CVE-2021-22569.
Depends on a version of hadoop-shaded-protobuf_3_7 with the update;
this PR does this by depending on 1.2.0-SNAPSHOT...this is only going to
work for local builds
How was this patch tested?
non-native build on a local mac against a local build of the thirdparty jar.
none of the docker changes/build instructions have been tested yet
For code changes:
LICENSE
,LICENSE-binary
,NOTICE-binary
files?