[
https://issues.apache.org/jira/browse/KUDU-3626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17903732#comment-17903732
]
ASF subversion and git services commented on KUDU-3626:
-------------------------------------------------------
Commit 9a6de6f408c7af8cfaaa1f3929a2cee81c4039fe in kudu's branch
refs/heads/branch-1.18.x from Abhishek Chennaka
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=9a6de6f40 ]
[thirdparty] KUDU-3626 Upgrading yaml-cpp to version 0.8.0
This addresses a few CVEs like CVE-2019-6292, CVE-2019-6285,
CVE-2018-20574, CVE-2018-20573.
Change-Id: I484d09ecfcbc5d8f7581f57ae8047c15627a563f
Reviewed-on: http://gerrit.cloudera.org:8080/22163
Reviewed-by: Ashwani Raina <ara...@cloudera.com>
Tested-by: Alexey Serbin <ale...@apache.org>
Reviewed-by: Alexey Serbin <ale...@apache.org>
(cherry picked from commit 8d77101b1746b765eb3a3e567e7639ac132afa6c)
Reviewed-on: http://gerrit.cloudera.org:8080/22178
Reviewed-by: Abhishek Chennaka <achenn...@cloudera.com>
> The dependency version of Thrift needs to be updated
> ----------------------------------------------------
>
> Key: KUDU-3626
> URL: https://issues.apache.org/jira/browse/KUDU-3626
> Project: Kudu
> Issue Type: Improvement
> Reporter: Peter Lee
> Priority: Major
>
> Hi dear Kudu team, thank you for your great work in Kudu.
> I noticed that Kudu is still depending on Thrift 0.11.0, which is affected by
> some vulnerabilities, such as CVE-2018-1320, CVE-2019-0210, and
> CVE-2019-0205. Maybe we could bump Thrift to a newer version without
> vulnerabilities, like 0.20.0.
> Besides this, there are some other dependencies with vulnerabilities, like
> Apache Hadoop, postgresql, protobuf, and yaml-cpp. It will be appreciated if
> you can also bump their versions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
