jackson-databind:2.9.4 comes from Calcite avatica:1.12.0 shaded jar:
https://mvnrepository.com/artifact/org.apache.calcite.avatica/avatica/1.12.0
that jar has also reported vulnerability :CVE-2022-36364, we should try to
upgrade it.
Another one is htrace-core:3.1.0-incubating from accumulo-core:
Hi guys,
I checked for jackson-databind-2.4.0. It seems to be a transitive
dependency from htrace-core .
[image: image.png]
On Wed, Jun 19, 2024 at 8:29 PM Stamatis Zampetakis
wrote:
> I am pretty sure that the old Jackson versions are shaded somewhere
> inside the jars of Hive dependencies.
I am pretty sure that the old Jackson versions are shaded somewhere
inside the jars of Hive dependencies. We probably need to inspect the
contents of our binary distribution of Hive 4.0.0 and take corrective
actions if needed.
Best,
Stamatis
On Wed, Jun 19, 2024 at 4:35 PM Denys Kuzmenko wrote:
Hi Sreek,
Oh, thanks! Ideally docker image should be build from Hive-4.0 branch artifacts
via the GH action. Let me check, I just hope it wasn't manually uploaded
ab63-556c3541d39e]
Thanks
Regards
Sreek
From: Denys Kuzmenko
Sent: Wednesday, June 19, 2024 6:06 PM
To: dev@hive.apache.org
Subject: Re: apache/hive security vulnerabilities.
Caution: This is an external email. Verify any links or attachments before
opening
Hi,
Hive-4.0 use jackson-databind version 2.16.1. I don't see any CVEs reported in
maven central for that artifact:
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.16.1
com.fasterxml.jackson
jackson-bom
2.16.1
pom
import
