[
https://issues.apache.org/jira/browse/KUDU-3626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Peter Lee updated KUDU-3626:
----------------------------
Description:
Hi dear Kudu team, thank you for your great work in Kudu.
I noticed that Kudu is still depending on Thrift 0.11.0, which is affected by
some vulnerabilities, such as CVE-2018-1320, CVE-2019-0210, and CVE-2019-0205.
Maybe we could bump Thrift to a newer version without vulnerabilities, like
0.20.0.
Besides this, there are some other dependencies with vulnerabilities, like
Apache Hadoop, postgresql, protobuf, and yaml-cpp. It will be appreciated if
you can also bump their versions.
was:
Hi dear Kudu team, thank you for your great work in Kudu.
I noticed that Kudu is still depending on Thrift 0.11.0, which is affected by
some vulnerabilities, such as CVE-2018-1320, CVE-2019-0210, and CVE-2019-0205.
Maybe we could upgrade Thrift to a newer version without vulnerabilities, like
0.20.0.
Besides this, there are some other dependencies with vulnerabilities, like
Apache Hadoop, postgresql, protobuf, and yaml-cpp. It will be appreciated if
you can also upgrade their versions.
> The dependency version of Thrift needs to be updated
> ----------------------------------------------------
>
> Key: KUDU-3626
> URL: https://issues.apache.org/jira/browse/KUDU-3626
> Project: Kudu
> Issue Type: Improvement
> Reporter: Peter Lee
> Priority: Major
>
> Hi dear Kudu team, thank you for your great work in Kudu.
> I noticed that Kudu is still depending on Thrift 0.11.0, which is affected by
> some vulnerabilities, such as CVE-2018-1320, CVE-2019-0210, and
> CVE-2019-0205. Maybe we could bump Thrift to a newer version without
> vulnerabilities, like 0.20.0.
> Besides this, there are some other dependencies with vulnerabilities, like
> Apache Hadoop, postgresql, protobuf, and yaml-cpp. It will be appreciated if
> you can also bump their versions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
