SDK 2.3.5 brings a vulnerable version of hadoop libraries
Closed this issue · 4 comments
Hey folks, thanks for your great work on this!
Recently, we added a component for Milvus on Apache Camel 4.5.0, released just a few weeks ago.
Yesterday we tried bumping the SDK dependency from 2.3.4, but we noticed that 2.3.5 brings a older version of the Hadoop client (2.7.0) that is vulnerable to multiple CVEs - I believe this came as part of the bulk writer feature.
Please, would it be possible to upgrade to a newer version of Hadoop that is not vulnerable?
Hello, I have noticed this issue. I will confirm the impact of the upgrade to ensure there is no conflict with existing dependencies.
Thank you!!!
Milvus SDK Java versions 2.3.6 & 2.4.0 have been released, you can upgrade to the corresponding versions. Thank you for your usage.