-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HIVE-25824: Upgrade log4j dependencies to 2.17.0 #2908
Conversation
Running
|
This change should mimic what done in the 3.x and master branches to fix the various CVEs related to log4j. The Apache Bigtop project used the same patch on top of 2.3.6 (released with Bigtop 1.5) and all our build/smoke-tests passed.
If anybody could help/chime-in I'd be grateful, I think that the errors pointed out above is unrelated to my change (not sure about the one that Travis is complaining about thought). Edit: I verified and the above test leads to the same failure even without my commit.. |
@elukey yes, |
@sunchao how should we proceed with this pull request? |
Sorry for the late reply @elukey ! it seems the CI run failed due to timeout. Let me re-trigger it first. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I checked the test results and all the failures are known ones.
Merged to branch-2.3, thanks @elukey ! |
@sunchao thanks a lot for your support! Is there any chance to get a new release in the future? |
@elukey yes I'll try to start a new release for branch-2.3 soon, perhaps in a few weeks. |
@sunchao any updates on when a 3.x branch update might be released? Seems the last release was July 2020, and with the log4j vulnerability it seems it would be a high priority fix to publish a new version for. |
@Gingernaut I believe Naveen is planning to make a 3.x release soon. You can subscribe to https://issues.apache.org/jira/browse/HIVE-25855 for the latest update. |
When checking the version of hive, it's still showing 2.3.6.
Any ideas? |
|
This change should mimic what done in the 3.x and master branches to fix the various CVEs related to log4j. The Apache Bigtop project used the same patch on top of 2.3.6 (released with Bigtop 1.5) and all our build/smoke-tests passed.
This change should mimic what done in the 3.x and master branches to fix the various CVEs related to log4j. The Apache Bigtop project used the same patch on top of 2.3.6 (released with Bigtop 1.5) and all our build/smoke-tests passed.
This change should mimic what done in the 3.x and master branches to fix the various CVEs related to log4j. The Apache Bigtop project used the same patch on top of 2.3.6 (released with Bigtop 1.5) and all our build/smoke-tests passed.
This change should mimic what done in the 3.x and master branches to fix the various CVEs related to log4j. The Apache Bigtop project used the same patch on top of 2.3.6 (released with Bigtop 1.5) and all our build/smoke-tests passed.
What changes were proposed in this pull request?
This change should mimic what done in the 3.x and master branches to fix the various CVEs related to log4j.
How was this patch tested?
The Apache Bigtop project used the same patch on top of 2.3.6 (released with Bigtop 1.5) and all our build/smoke-tests passed.
More info apache/bigtop#844