You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Current builds of Apache Druid in versions 25.0.0, 26.0.0, and the newest snapshot, are using Ranger dependency in version 2.0.0. This however has a transient dependency on log4j 1.27 which is extremely vulnerable.
The presence of log4j 1.x raises vulnerability alerts in automatic builds in one of our clients.
There is an inactive issue with a similar problem #9629, but we created this issue as we only want to update the Ranger extension.
We already created a fork of the extension in our repo for Druid 25.0.0 and 26.0.0. We would like to contribute this change to the Druid source directly for all new versions of the Druid.
There may be a problem as the new Ranger dependency is heavy. It depends on an Amazon library with a jar size of 200 MB. Looking at this issue #11125 it may be a problem.
The text was updated successfully, but these errors were encountered:
Affected Version
Description
Current builds of Apache Druid in versions 25.0.0, 26.0.0, and the newest snapshot, are using Ranger dependency in version 2.0.0. This however has a transient dependency on log4j 1.27 which is extremely vulnerable.
The presence of log4j 1.x raises vulnerability alerts in automatic builds in one of our clients.
There is an inactive issue with a similar problem #9629, but we created this issue as we only want to update the Ranger extension.
We already created a fork of the extension in our repo for Druid 25.0.0 and 26.0.0. We would like to contribute this change to the Druid source directly for all new versions of the Druid.
There may be a problem as the new Ranger dependency is heavy. It depends on an Amazon library with a jar size of 200 MB. Looking at this issue #11125 it may be a problem.
The text was updated successfully, but these errors were encountered: