Skip to content

HADOOP-19791: Upgraded GCS to remediate CVE-2025-55163 #8213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
shub-est wants to merge 3 commits into
base: trunk
Choose a base branch
from
Open

HADOOP-19791: Upgraded GCS to remediate CVE-2025-55163 #8213

shub-est wants to merge 3 commits into from
+9 −7

Conversation

@shub-est
Copy link

@shub-est shub-est commented Jan 27, 2026

Description of PR

Upgraded GCS from 2.52.0 to 2.62.0 to remediate GHSA-prj3-ccx8-p6x4
Upgraded Guava and Protobuf Java to avoid conflict

How was this patch tested?

Local build

For code changes:

  • Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
  • If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

AI Tooling

N/A

@shub-est shub-est changed the title Fix/gcs upgrade HADOOP-19791: Upgraded GCS to remediate CVE-2025-55163 Jan 27, 2026
@steveloughran
Copy link
Contributor

steveloughran commented Jan 29, 2026

aah, this is a PITA. Can you also do a PR for hadoop-thirdparty for its updates, so it can be done broadly and that LICENSE-binary file is consistent

@pjfanning
Copy link
Member

pjfanning commented Jan 30, 2026

If you are going to update guava and protobuf everywhere, this Pr should update the project/pom.xml to update the guava.version and hadoop.protobuf.version. 3.25.5 appears in many places in the txt files that act as build instructions. Presumably they need to be upgraded too.

@pjfanning
Copy link
Member

pjfanning commented Jan 30, 2026

And

hadoop/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-csi/pom.xml

Line 29 in 90150af

<grpc.version>1.69.0</grpc.version>
-- this is another module that uses grpc - shouldn't that have its grpc.version upgraded too to match what is being updated for the gcp module?

@shub-est
Copy link
Author

shub-est commented Jan 30, 2026

Hi @steveloughran @pjfanning, thank you for reviewing the PR.

Is it okay to use this PR and ticket to upgrade the Protobuf Java and Guava across the entire project while also removing the CVE?

Alternatively, I can create a separate PR just upgrading Protobuf and Guava across the entire project.

Appreciate your guidance here, thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@steveloughran steveloughran Awaiting requested review from steveloughran

Assignees

No one assigned

Labels

build trunk

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shub-est @steveloughran @pjfanning