[jira] [Commented] (HADOOP-19315) Bump avro from 1.9.2 to 1.11.4

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-19315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17896951#comment-17896951
 ] 

ASF GitHub Bot commented on HADOOP-19315:
-----------------------------------------

pjfanning commented on PR #7128:
URL: https://github.com/apache/hadoop/pull/7128#issuecomment-2466441399

   > Here's my draft Commit Message
   > 
   > We need to highlight it is not backwards compatibility, and include the 
CVEs to make log scanning find them.
   > 
   > Does it seem good?
   > 
   > [HADOOP-19315](https://issues.apache.org/jira/browse/HADOOP-19315). 
Upgrade Apache Avro to 1.11.4
   > 
   > * All field access is now via setter/getter methods
   > * To use Avro to marshal Serializable objects,
   >   the packages they are in must be declared in the system property
   >   "org.apache.avro.SERIALIZABLE_PACKAGES"
   > 
   > This is required to address
   > 
   > * [CVE-2024-47561](https://github.com/advisories/GHSA-r7pg-v2c8-mfg3)
   > * [CVE-2023-39410](https://github.com/advisories/GHSA-rhrv-645h-fjfh)
   > 
   > This change is not backwards compatible.
   > 
   > Contributed by Dominik Diedrich
   
   * Looks good to me. I presume that this can't be merged to Hadoop 3.4.2 due 
to the compatibility issues.
   * Should this PR update the shell scripts to set the 
org.apache.avro.SERIALIZABLE_PACKAGES system property?




> Bump avro from 1.9.2 to 1.11.4
> ------------------------------
>
>                 Key: HADOOP-19315
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19315
>             Project: Hadoop Common
>          Issue Type: Task
>          Components: build
>    Affects Versions: 3.4.0, 3.4.1
>            Reporter: Dominik Diedrich
>            Priority: Major
>              Labels: pull-request-available
>
> We should bump the avro version in the hadoop-project pom.xml from 1.9.2 to 
> 1.11.4 in order to fix following CVE's:
> * 
> [CVE-2024-47561|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47561]
> * 
> [CVE-2023-39410|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39410]
> I already fixed it locally and can create a PR for that.
> A few classes need to be adjusted, because avro introduced new getter, setter 
> methods for some member variables which are now private.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org