We should react to all CVEs if we’re going to. Fine to start now.
> On Oct 22, 2018, at 6:50 PM, Sean Busbey <[email protected]> wrote: > > Has the Hadoop PMC put out a public notice on the impact of that CVE yet? > Specifically have they stated what versions are vulnerable? Are we flagging > all versions impacted by it as "HBase says keep away"? > > Is there some reason this particular CVE especially impacts users of HBase? > I presume not since we're talking about this on dev@ and in JIRA instead of > on private@. > > Why are we reacting to this CVE when we don't seem to react to any other > Hadoop CVEs? Or is this the start of a change wrt that? > > What about other dependencies with open CVEs? > >> On Mon, Oct 22, 2018, 20:33 张铎(Duo Zhang) <[email protected]> wrote: >> >> See here: >> >> https://access.redhat.com/security/cve/cve-2018-8009 >> >> All 2.7.x releases before 2.7.7 have the problem. And for 2.6.x, the hadoop >> team seems to drop the support as there is no release about two years, so >> either we keep the original support versions, or we just drop the support >> for the 2.6.x release line. >> >> Zach York <[email protected]> 于2018年10月23日周二 上午8:51写道: >> >>> What is the main reason for the change? Build time speedup? >>> >>> Any reason for testing all of the 2.6.x line, but not the 2.7.x line? We >>> don't check at all for 2.8.x? >>> >>> Can we be more consistent with how we test compatibility? (Do we only >> care >>> about the latest patch release in a line?) >>> >>> Sorry If I'm missing some of the reasoning, but at a surface level it >> seems >>> fairly arbitrary which releases we are cutting. >>> >>>> On Mon, Oct 22, 2018 at 5:44 PM Sean Busbey <[email protected]> wrote: >>>> >>>> Please leave me time to review before it is committed. >>>> >>>>> On Mon, Oct 22, 2018, 13:58 Stack <[email protected]> wrote: >>>>> >>>>> Duo has a patch up on HBASE-20970 that changes the Hadoop versions we >>>> check >>>>> at build time. Any objections to committing to branch-2.1+? >>>>> >>>>> It makes following changes: >>>>> >>>>> 2.6.1 2.6.2 2.6.3 2.6.4 2.6.5 2.7.1 2.7.2 2.7.3 2.7.4 >>>>> >>>>> becomes >>>>> >>>>> 2.6.1 2.6.2 2.6.3 2.6.4 2.6.5 2.7.7 >>>>> >>>>> And... >>>>> >>>>> 3.0.0 >>>>> >>>>> goes to >>>>> >>>>> 3.0.3 >>>>> >>>>> Shout if you are against the change else will commit tomorrow. >>>>> >>>>> Thanks, >>>>> S >>>>> >>>> >>> >>
