[
https://issues.apache.org/jira/browse/HADOOP-19315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17892421#comment-17892421
]
ASF GitHub Bot commented on HADOOP-19315:
-----------------------------------------
pjfanning commented on PR #7128:
URL: https://github.com/apache/hadoop/pull/7128#issuecomment-2434854078
@steveloughran I can see why Avro need this packages property but the
implementation makes things difficult for Hadoop. One option would be for the
Hadoop code to set the property itself. It could reset the property, taking the
existing value and appending the necessary Hadoop packages.
If the property is empty, we would need to add the default setting too if we
were to add some of our own. The default applied is:
https://github.com/apache/avro/blob/main/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java#L41
> Bump avro from 1.9.2 to 1.11.4
> ------------------------------
>
> Key: HADOOP-19315
> URL: https://issues.apache.org/jira/browse/HADOOP-19315
> Project: Hadoop Common
> Issue Type: Task
> Components: build
> Affects Versions: 3.4.0, 3.4.1
> Reporter: Dominik Diedrich
> Priority: Major
> Labels: pull-request-available
>
> We should bump the avro version in the hadoop-project pom.xml from 1.9.2 to
> 1.11.4 in order to fix following CVE's:
> *
> [CVE-2024-47561|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47561]
> *
> [CVE-2023-39410|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39410]
> I already fixed it locally and can create a PR for that.
> A few classes need to be adjusted, because avro introduced new getter, setter
> methods for some member variables which are now private.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
