Skip to content

HIVE-29705: Remediate critical CVEs in hive-druid-handler (HIVE-25013)#6589

Open
saihemanth-cloudera wants to merge 1 commit into
apache:masterfrom
saihemanth-cloudera:HIVE-29705
Open

HIVE-29705: Remediate critical CVEs in hive-druid-handler (HIVE-25013)#6589
saihemanth-cloudera wants to merge 1 commit into
apache:masterfrom
saihemanth-cloudera:HIVE-29705

Conversation

@saihemanth-cloudera

Copy link
Copy Markdown
Contributor

What changes were proposed in this pull request?

Replace Druid's Netty 3 HTTP client with Apache HttpClient to remove
io.netty:netty 3.x from the shaded druid-handler JAR (CVE-2019-20444).
Force patched async-http-client 2.15.0 and Jackson 2.18.8 into the shade,
bump platform Netty 4 to 4.1.133.Final, and make hive-druid-handler opt-in
via the druid-handler packaging profile so default distributions avoid
legacy transitive CVEs.

Why are the changes needed?

Avoid CVEs

Does this PR introduce any user-facing change?

No.

How was this patch tested?

Unit tests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants