SDK 2.3.5 brings a vulnerable version of hadoop libraries

Question

Closed this issue 3 months ago · 4 comments

Hey folks, thanks for your great work on this!

Recently, we added a component for Milvus on Apache Camel 4.5.0, released just a few weeks ago.

Yesterday we tried bumping the SDK dependency from 2.3.4, but we noticed that 2.3.5 brings a older version of the Hadoop client (2.7.0) that is vulnerable to multiple CVEs - I believe this came as part of the bulk writer feature.

Please, would it be possible to upgrade to a newer version of Hadoop that is not vulnerable?

Answer 1 · 2024-04-15T06:34:05.000Z

Hello, I have noticed this issue. I will confirm the impact of the upgrade to ensure there is no conflict with existing dependencies.

Answer 2 · 2024-04-15T11:07:08.000Z

Has been done:
#854
#853

Answer 3 · 2024-04-24T06:46:37.000Z

Thank you!!!

Answer 4 · 2024-04-24T06:57:25.000Z

Milvus SDK Java versions 2.3.6 & 2.4.0 have been released, you can upgrade to the corresponding versions. Thank you for your usage.