Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/23370 )
Change subject: [java] Upgrade slf4j dependency to 2.0.13 ...................................................................... Patch Set 1: (1 comment) http://gerrit.cloudera.org:8080/#/c/23370/1//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/23370/1//COMMIT_MSG@9 PS1, Line 9: org.slf4j:slf4j-api dependency due to CVE-2018-8088 > Also, even if updating the slf4j package, why not to update to the latest > available version in the 1.x line (e.g., 1.7.36)? Ah, the slf4j package is already of 1.7.36 version in Kudu deps :) And it's well known that CVE-2018-8088 in slf4j-ext has been addressed in 1.7.26, so 1.7.36 does contain the fix as well and isn't vulnerable. https://www.cve.org/CVERecord?id=CVE-2018-8088 https://jira.qos.ch/browse/SLF4J-431 https://jira.qos.ch/browse/SLF4J-455 https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405 https://github.com/qos-ch/reload4j/issues/10 -- To view, visit http://gerrit.cloudera.org:8080/23370 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I58a4fc3615c7dbb8d10393bbc536d77dfaf68e47 Gerrit-Change-Number: 23370 Gerrit-PatchSet: 1 Gerrit-Owner: Zoltan Chovan <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Thu, 04 Sep 2025 19:28:17 +0000 Gerrit-HasComments: Yes
