-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Deps] Bump slf4j to 1.7.36 to fix vulnerability in slf4j-log4j12 #464
Conversation
slf4j-log4j12:1.7.25 provides transitive vulnerable dependency log4j:1.2.17 * CVE-2019-17571 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation * CVE-2021-4104 7.5 Deserialization of Untrusted Data vulnerability with medium severity found * CVE-2022-23302 8.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation * CVE-2022-23305 9.8 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability pending CVSS allocation * CVE-2022-23307 8.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation
Codecov Report
@@ Coverage Diff @@
## master #464 +/- ##
=========================================
Coverage 58.75% 58.75%
Complexity 1666 1666
=========================================
Files 199 199
Lines 11239 11239
Branches 1000 1000
=========================================
Hits 6604 6604
Misses 4243 4243
Partials 392 392 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Does this mean we are getting rid of When I was working on spark code, I noticed spark still depends on |
Will it be a problem? |
if we cannot get rid of P.S: I have no objection for merging this PR. |
We can't control the Spark. We only need to guarantee that rss service don't have the danger. And Uniffle can be used for multiple frameworks. |
The problem is that if we are depending on the big data ecosystem, there might be no good way to avoid this. A quick
https://issues.apache.org/jira/browse/HADOOP-16206 https://issues.apache.org/jira/browse/HADOOP-12956 Seems that there's no good way for hadoop to get rid of log4j 1x |
But I'm in favor of merging this. Let's get rid of log4j 1.x as much as possible. |
Merged. thanks @kaijchen @zuston @advancedxy |
### What changes were proposed in this pull request? Bump slf4j to 1.7.36 to fix vulnerability in slf4j-log4j12. Btw, slf4j:1.7.36 depends on reload4j:1.2.19 instead of log4j. ### Why are the changes needed? slf4j-log4j12:1.7.25 provides transitive vulnerable dependency log4j:1.2.17 * CVE-2019-17571 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation * CVE-2021-4104 7.5 Deserialization of Untrusted Data vulnerability with medium severity found * CVE-2022-23302 8.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation * CVE-2022-23305 9.8 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability pending CVSS allocation * CVE-2022-23307 8.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? No need.
What changes were proposed in this pull request?
Bump slf4j to 1.7.36 to fix vulnerability in slf4j-log4j12.
Btw, slf4j:1.7.36 depends on reload4j:1.2.19 instead of log4j.
Why are the changes needed?
slf4j-log4j12:1.7.25 provides transitive vulnerable dependency log4j:1.2.17
Does this PR introduce any user-facing change?
No.
How was this patch tested?
No need.