hemanthumashankar0511 commented on PR #6401: URL: https://github.com/apache/hive/pull/6401#issuecomment-4198405367
@deniskuzZ Thanks for the detailed review, and apologies for the PR. After taking a closer look at CVE-2025-41249, I realize I should have validated its applicability before proposing the upgrade. From what I can see now, this CVE affects applications using Spring Security method-level authorization, which Hive does not use. So the vulnerable code path is not exercised here. Also, upgrading to Spring 6.x introduces a required migration from javax.* to jakarta.* across the stack (servlet APIs, Jetty, transitive deps, etc.). As this PR shows, doing this partially leads to incompatibilities. We'll look at this post javax to jakarta migration. Thanks again for the feedback. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
