[
https://issues.apache.org/jira/browse/HADOOP-16451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16892346#comment-16892346
]
Duo Zhang commented on HADOOP-16451:
------------------------------------
My 2 cents:
1. It is fine to offically say that a release line is EOL. For HBase we will
drop the support for legacy releases while releasing a new minor release.
2. It is still more friendly to make more 2.8.x and 2.7.x releases due to CVEs,
so for the current release lines, we could still benefit, as in general, at
least for HBase, we can not drop an entire hadoop release line support in a new
patch release, i.e, if 2.2.0 has the support for 2.8.x, if we make a new 2.8.6
release, we will drop the support for 2.8.[1-5], due to the CVEs, and only
support 2.8.6. But if we do not make any new releases for 2.8.x, we probably
could only stay on 2.8.5 then...
Thanks.
> Update jackson-databind to 2.9.9.1
> ----------------------------------
>
> Key: HADOOP-16451
> URL: https://issues.apache.org/jira/browse/HADOOP-16451
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Wei-Chiu Chuang
> Assignee: Siyao Meng
> Priority: Major
> Fix For: 3.3.0
>
> Attachments: HADOOP-16451.001.patch, HADOOP-16451.002.patch
>
>
> https://nvd.nist.gov/vuln/detail/CVE-2019-12814
> CVE-2019-12814 flags 2.9.9 as vulnerable. A new version 2.9.9.1 is available.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
