[
https://issues.apache.org/jira/browse/HIVE-28438?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
tanishqchugh updated HIVE-28438:
--------------------------------
Summary: Remove commons-pool2 as an explicit dependency & upgrade
commons-dbcp2 to 2.12.0 (was: Upgrade commons-dbcp2 and commons-pool2 to
2.12.0 to fix CVEs)
> Remove commons-pool2 as an explicit dependency & upgrade commons-dbcp2 to
> 2.12.0
> --------------------------------------------------------------------------------
>
> Key: HIVE-28438
> URL: https://issues.apache.org/jira/browse/HIVE-28438
> Project: Hive
> Issue Type: Improvement
> Reporter: tanishqchugh
> Assignee: tanishqchugh
> Priority: Major
> Labels: pull-request-available
>
> In the master branch, currently we are using commons-dbcp2 v2.9.0 which is
> affected by following CVEs:
> [CVE-2022-45868|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45868]
> [CVE-2022-23221|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221]
> [CVE-2021-42392|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392]
> [CVE-2021-23463|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463]
> Also, there are two different versions (2.10.0 & 2.11.1) of commons-pool2
> across project as commons-dbcp2 v2.9.0 requires commons-pool2 v2.10.0 as a
> compile time dependency.
> Upgrading both of the dependencies to v2.12.0 to resolve the CVEs as well as
> make commons-pool2 version consistent across project to prevent any kind of
> potential conflicts.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
