I think we explicitly don't want our hbase-thirdparty netty version to be locked to the one for transitive dependencies. That's sort of why we have it in thirdparty/shaded at all, right?
I created https://issues.apache.org/jira/browse/HBASE-28291 to update pom.xml in hbase-thirdparty. I will handle that. We will need to do an hbase-thirdparty release, which I'm not sure I'll have time for given I'm already behind on the 2.6.0 release On Thu, Jan 4, 2024 at 11:58 AM Andrew Purtell <andrew.purt...@gmail.com> wrote: > We should do that bump to hbase-thirdparty and spin another release to > keep our house in order. It isn’t urgent but would be good to address this > in the normal release cadence. That has been about once per fiscal quarter > recently. It’s weird to have netty dependency versions diverging. > > I will make a note as RM to look at hbase-thirdparty versions with respect > to the base POM and known security issues, using snyk probably, and update > it ahead of 2.5.8. As well as direct dependencies in the base POM. > Unfortunately I can’t promise to do anything about transitive issues > imported from something that impacts operational compatibility. Those must > be weighed case by case. > > > On Jan 4, 2024, at 8:31 AM, Bryan Beaudreault <bbeaudrea...@apache.org> > wrote: > > > > It looks like that CVE only affects io.netty:netty-codec-http2. Since > our > > hbase-shaded-netty depends on netty-all, that module is included. > However, > > I don't think we use anything from netty-codec-http2. So I don't think > the > > CVE is a risk for this usage, unless you are building an app using the > > org.apache.hbase.thirdparty.io.netty classes. This would not be advised. > > > > That said, we could try to bump hbase-thirdparty to 4.1.100+ and include > > that in the upcoming 2.6.0 or 2.5.8 when that happens. If the CVE were > > critical we could rush out another minor release, but I don't think it's > > necessary here? I also wonder if we should update hbase-shaded-netty to > > only pull in the netty modules we actually use. > > > >> On Thu, Jan 4, 2024 at 11:14 AM Dan Huff <dan.h...@dremio.com.invalid> > >> wrote: > >> > >> Thanks Bryan. That does help explain things. I have been looking at > >> https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p > and > >> have been trying to determine if hbase is vulnerable to this attack > vector > >> or not. I got excited when I saw 4.1.100.Final in 2.5.7 but it sounds > like > >> that excitement was misplaced :) > >> > >> Dan > >> > >> On Tue, Jan 2, 2024 at 12:54 PM Bryan Beaudreault < > bbeaudrea...@apache.org > >>> > >> wrote: > >> > >>> Hello, > >>> > >>> As the comment above the netty version change says, this only affects > the > >>> transitive netty dependencies from thirdparty dependencies like > zookeeper > >>> and hadoop. HBase's internal netty usage (i.e. for HBase's RPC > protocol) > >>> uses the shaded netty provided by hbase-thirdparty. > >>> > >>> While you're generally correct that in maven you'd expect a version > >> defined > >>> in dependencyManagement to affect all transitive dependencies, that is > >> not > >>> the case for hbase-thirdparty due to the shading we do there. At the > time > >>> of building hbase-thirdparty, the defined netty version there is pulled > >> in > >>> and relocated to org.apache.hbase.thirdparty.io.netty and published as > a > >>> new maven module named hbase-shaded-netty. As such, the > >>> dependencyManagement has no effect on it. > >>> > >>> I hope this helps > >>> > >>> On Tue, Jan 2, 2024 at 2:40 PM Dan Huff <dan.h...@dremio.com.invalid> > >>> wrote: > >>> > >>>> Hello there Hbase Devs-- > >>>> > >>>> I have been investigating taking an update to Hbase 2.5.7 after the > >>> release > >>>> last week and have what I hope is a quick question about commit > 7639345 > >>>> < > >>>> > >>> > >> > https://github.com/apache/hbase/commit/7639345a970636e7a9eb7adf6d84dadd6f3fccb9 > >>>>> > >>>> in > >>>> branch-2.5. > >>>> > >>>> Am I correct in believing that the direct inclusion of netty > >>> 4.1.100.Final > >>>> in Hbase's pom.xml will override the 4.1.97.Final version that is > >>>> specified in hbase-thirdparty > >>>> < > >> https://github.com/apache/hbase-thirdparty/blob/rel/4.1.5/pom.xml#L137 > >>>> ? > >>>> I > >>>> see 4.1.100.Final listed on > >>>> https://hbase.apache.org/dependency-management.html which to me > >> suggests > >>>> that I am understanding this correctly that issues flagged against > >>>> 4.1.97.Final can be ignored since Hbase will now just use > >> 4.1.100.Final. > >>>> > >>>> Thanks so much for your time, > >>>> > >>>> Dan Huff > >>>> > >>> > >> >