You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Andrew Purtell (JIRA)" <ji...@apache.org> on 2019/02/05 17:46:00 UTC
[jira] [Comment Edited] (HBASE-21791) Upgrade thrift dependency to
0.12.0
[ https://issues.apache.org/jira/browse/HBASE-21791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16761051#comment-16761051 ]
Andrew Purtell edited comment on HBASE-21791 at 2/5/19 5:45 PM:
----------------------------------------------------------------
[~toffer] If you want to put this in 1.3 it needs to go into 1.4 too I'd say, no objections to that from me. There is no wire compatibility issue as far as community testing has revealed and although it has potential downstream knock on effects I think the security concerns are more important. We made a similar trade off when removing Bytes API methods that did unsafe object deserialization a while back.
was (Author: apurtell):
[~toffer] If you want to put this in 1.3 it needs to go into 1.4 too I'd say, no objections to that from me. There is no wire compatibility issue as far as community testing has revealed and although it has potential downstream knock on effects I think the security concerns are more important. We made a similar trade off when removing Byte API methods that did unsafe object deserialization a while back.
> Upgrade thrift dependency to 0.12.0
> -----------------------------------
>
> Key: HBASE-21791
> URL: https://issues.apache.org/jira/browse/HBASE-21791
> Project: HBase
> Issue Type: Task
> Components: Thrift
> Affects Versions: 3.0.0, 1.5.0, 1.3.3, 2.2.0, 1.4.9, 2.1.2, 1.2.10, 2.0.4
> Reporter: Duo Zhang
> Assignee: Duo Zhang
> Priority: Blocker
> Fix For: 3.0.0, 1.5.0, 2.2.0, 2.1.3, 2.0.5, 2.3.0
>
> Attachments: HBASE-21791-branch-1.patch, HBASE-21791-branch-2.1.patch, HBASE-21791.patch
>
>
> As somebody have already known, that there is a CVE for thrift from 0.5.0 to 0.11.0.
> https://nvd.nist.gov/vuln/detail/CVE-2018-1320
> As the CVE is already public, let's upgrade our thrift dependency and release new versions ASAP.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)