[jira] [Commented] (KUDU-3626) The dependency version of Thrift needs to be updated

Wed, 04 Dec 2024 08:26:44 -0800 


    [ 
https://issues.apache.org/jira/browse/KUDU-3626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17903043#comment-17903043
 ] 

ASF subversion and git services commented on KUDU-3626:
-------------------------------------------------------

Commit f2a6be7a44e3c395c240f982ce7b2a193410cb9b in kudu's branch 
refs/heads/master from Abhishek Chennaka
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=f2a6be7a4 ]

[thirdparty] KUDU-3626: Upgrade Apache Thrift to version 0.21.0

To address CVEs like CVE-2018-1320, CVE-2019-0210 and CVE-2019-0205
in the current Apache Thrift version 0.11.0 we are upgrading to version
0.21.0. We initally considered using version 0.16.0 as Hive
uses it. But due to the reported issues[1][2] and no significant
changes between 0.16.0 and 0.21.0 which can potentially break Kudu we
think we can upgrade to 0.21.0 directly hence being more future
proof.

Thanks to Alexey Serbin for valuable inputs for this patch.

[1]https://issues.apache.org/jira/browse/THRIFT-5599
[2]https://issues.apache.org/jira/browse/THRIFT-5696

Change-Id: I44c85f5d6679895865346118759d8da379cec3d5
Reviewed-on: http://gerrit.cloudera.org:8080/22159
Tested-by: Alexey Serbin <ale...@apache.org>
Reviewed-by: Alexey Serbin <ale...@apache.org>


> The dependency version of Thrift needs to be updated
> ----------------------------------------------------
>
>                 Key: KUDU-3626
>                 URL: https://issues.apache.org/jira/browse/KUDU-3626
>             Project: Kudu
>          Issue Type: Improvement
>            Reporter: Peter Lee
>            Priority: Major
>
> Hi dear Kudu team, thank you for your great work in Kudu.
> I noticed that Kudu is still depending on Thrift 0.11.0, which is affected by 
> some vulnerabilities, such as CVE-2018-1320, CVE-2019-0210, and 
> CVE-2019-0205. Maybe we could bump Thrift to a newer version without 
> vulnerabilities, like 0.20.0.
> Besides this, there are some other dependencies with vulnerabilities, like 
> Apache Hadoop, postgresql, protobuf, and yaml-cpp. It will be appreciated if 
> you can also bump their versions.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to