You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Andrew Kyle Purtell (Jira)" <ji...@apache.org> on 2022/04/02 18:51:00 UTC

[jira] [Comment Edited] (HBASE-26894) Use new hbase-thirdparty and jackson 2.13.2.1 due to CVE-2020-36518

    [ https://issues.apache.org/jira/browse/HBASE-26894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17516367#comment-17516367 ] 

Andrew Kyle Purtell edited comment on HBASE-26894 at 4/2/22 6:50 PM:
---------------------------------------------------------------------

Denial of service attack is important to fix but not Critical IMHO. It would be more of an issue for us if we had XML parsing over untrusted user input as a consideration. Except for the REST gateway, I don't think we do. (I should audit that...) Reducing priority to default. We should definitely fix it, though. Change it back if you disagree.


was (Author: apurtell):
Denial of service attack is important to fix but not Critical IMHO. Reducing priority to default. We should definitely fix it, though. Change it back if you disagree.

> Use new hbase-thirdparty and jackson 2.13.2.1 due to CVE-2020-36518
> -------------------------------------------------------------------
>
>                 Key: HBASE-26894
>                 URL: https://issues.apache.org/jira/browse/HBASE-26894
>             Project: HBase
>          Issue Type: Task
>          Components: dependencies
>            Reporter: Duo Zhang
>            Priority: Major
>
> https://github.com/FasterXML/jackson-databind/issues/2816



--
This message was sent by Atlassian Jira
(v8.20.1#820001)