In the upcoming 2.5.7RC0 you will notice in the compatibility report an impact due to a recent upgrade of our ZooKeeper dependencies to deal with a CVE issue in ZooKeeper. As 2.5 RM, I ask you to ALLOW these changes, for these reasons: - The ZooKeeper dependency must be upgraded because ZooKeeper reported a CVE this year. The vulnerability relates to authentication and authorization. The upgrade of this dependency is not an optional response. - The compatibility impact is limited to the shaded jars we distribute for the convenience of our downstream users. Naturally because the version of ZooKeeper shaded into these jars changed significantly, so has the compatibility of the included classes with earlier releases.
This is the relevant section of the report: Problems with Data Types, High Severity 2 ------------------------------ hbase-shaded-client-byo-hadoop-2.5.6.jar package org.apache.hadoop.hbase.shaded.org.apache.zookeeper class ZooKeeper hbase-shaded-client-byo-hadoop-2.5.6.jar package org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server class LogFormatter Problems with Data Types, Medium Severity 1 ------------------------------ hbase-shaded-client-byo-hadoop-2.5.6.jar package org.apache.hadoop.hbase.shaded.org.apache.zookeeper.client class ZKClientConfig Problems with Methods, Low Severity 3 ------------------------------ hbase-shaded-client-byo-hadoop-2.5.6.jar, ZooKeeperMain.class package org.apache.hadoop.hbase.shaded.org.apache.zookeeper ZooKeeperMain.executeLine ( String line ) *:* void ZooKeeperMain.main ( String[ ] args ) [static] *:* void ZooKeeperMain.processCmd ( ZooKeeperMain.MyCommandOptions co ) *:* boolean -- Best regards, Andrew
