Hi all, I've created a PR to address dnsjava related CVE-2024-25638 [1].
https://github.com/apache/pulsar/pull/23411 It's necessary to drop support for pulsar-io hdfs2 to get rid of the vulnerable dnsjava dependency in the whole code base. I don't expect many to be using that and users of pulsar-io hdfs2 should simply switch to use pulsar-io hdfs3. I'm suggesting that after merging PR 23411, we also apply the change at least in branch-3.3 and possibly also in branch-3.0 . Regards, -Lari 1 - https://github.com/advisories/GHSA-cfxw-4h78-h7fw
