Skip to content

HIVE-29387:upgrade commons-lang3 to 3.20.x to fix CVE-2025-48924 #6251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ramitg254 wants to merge 3 commits into
base: master
Choose a base branch
from
Open

HIVE-29387:upgrade commons-lang3 to 3.20.x to fix CVE-2025-48924 #6251

ramitg254 wants to merge 3 commits into from
+14 −2

Conversation

@ramitg254
Copy link
Contributor

@ramitg254 ramitg254 commented Dec 29, 2025
edited
Loading

What changes were proposed in this pull request?

commons-lang3 upgraded to 3.20.0

Why are the changes needed?

It fixes CVE-2025-48924

Does this PR introduce any user-facing change?

No

How was this patch tested?

build locally and ci tests

@ramitg254
Copy link
Contributor Author

ramitg254 commented Dec 29, 2025
edited
Loading

dependency-tree.txt

@ramitg254 ramitg254 force-pushed the commons-lang-upgrade branch from c382c90 to 2b74140 Compare December 29, 2025 06:36
@ramitg254 ramitg254 changed the title HIVE-29387:upgrade commons-lang3 to 3.20.x to fix CVE-2025-48924 [WIP]HIVE-29387:upgrade commons-lang3 to 3.20.x to fix CVE-2025-48924 Dec 29, 2025
@ramitg254 ramitg254 changed the title [WIP]HIVE-29387:upgrade commons-lang3 to 3.20.x to fix CVE-2025-48924 HIVE-29387:upgrade commons-lang3 to 3.20.x to fix CVE-2025-48924 Dec 30, 2025
ayushtkn
ayushtkn reviewed Jan 6, 2026
View reviewed changes
Copy link
Member

@ayushtkn ayushtkn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ramitg254 can you check if there are other versions getting packaged as well

+- commons-lang:commons-lang:jar:2.6:compile

I think hadoop & tez are pulling in other versions

@ramitg254 ramitg254 force-pushed the commons-lang-upgrade branch from 2b74140 to b83242a Compare January 6, 2026 10:35
@ramitg254 ramitg254 changed the title HIVE-29387:upgrade commons-lang3 to 3.20.x to fix CVE-2025-48924 [WIP]HIVE-29387:upgrade commons-lang3 to 3.20.x to fix CVE-2025-48924 Jan 6, 2026
@ramitg254
Copy link
Contributor Author

ramitg254 commented Jan 6, 2026
edited
Loading

@ramitg254 can you check if there are other versions getting packaged as well

+- commons-lang:commons-lang:jar:2.6:compile

I think hadoop & tez are pulling in other versions

this pr only addresses the dependency org.apache.comcommons-lang3:jar as currently we are having the two different versions of it 3.14.0 in the pom and other one 3.17.0 which comes from hadoop which I am enforcing it to 3.20.0 in this pr

but since you mentioned the commons-lang:commons-lang:jar it can't be addressed from hive side as these are v2 versions of commons-lang having classpath of pattern org/apache/commons/lang/* which are used by underlying tez and hadoop classes and commons-lang3 have pattern like org/apache/commons/lang3/* and these v2 jars needed be brought transitively
and to change it to commons-lang3 it needed to addressed from tez and hadoop classes.
so I am only addressing the upgrade which is possible from hive side as per my understanding.

@ramitg254 ramitg254 changed the title [WIP]HIVE-29387:upgrade commons-lang3 to 3.20.x to fix CVE-2025-48924 HIVE-29387:upgrade commons-lang3 to 3.20.x to fix CVE-2025-48924 Jan 6, 2026
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 6, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ayushtkn ayushtkn ayushtkn left review comments

Assignees

No one assigned

Labels

tests passed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ramitg254 @ayushtkn @asf-ci-hive