[jira] [Created] (HIVE-28438) Upgrade commons-dbcp2 and commons-pool2 to 2.12.0 to fix CVEs

tanishqchugh (Jira) Tue, 06 Aug 2024 06:31:21 -0700

tanishqchugh created HIVE-28438:
-----------------------------------

             Summary: Upgrade commons-dbcp2 and commons-pool2 to 2.12.0 to fix 
CVEs
                 Key: HIVE-28438
                 URL: https://issues.apache.org/jira/browse/HIVE-28438
             Project: Hive
          Issue Type: Improvement
            Reporter: tanishqchugh
            Assignee: tanishqchugh



In the master branch, currently we are using commons-dbcp2 v2.9.0 which is 
affected by following CVEs:
[CVE-2022-45868|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45868]
[CVE-2022-23221|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221]
[CVE-2021-42392|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392]
[CVE-2021-23463|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463]

Also, there are two different versions (2.10.0 & 2.11.1) of commons-pool2 
across project as commons-dbcp2 v2.9.0 requires commons-pool2 v2.10.0 as a 
compile time dependency. 
Upgrading both of the dependencies to v2.12.0 to resolve the CVEs as well as 
make commons-pool2 version consistent across project to prevent any kind of 
potential conflicts.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-28438) Upgrade commons-dbcp2 and commons-pool2 to 2.12.0 to fix CVEs

Reply via email to