[
https://issues.apache.org/jira/browse/HBASE-30193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Peter Somogyi resolved HBASE-30193.
-----------------------------------
Fix Version/s: 2.7.0
3.0.0-beta-2
2.5.15
2.6.6
Resolution: Fixed
Pushed to all branches. Thanks for the commit, [~xavierfernandis]!
> Exclude transitive jakarta.mail dependency (CVE-2025-7962)
> ----------------------------------------------------------
>
> Key: HBASE-30193
> URL: https://issues.apache.org/jira/browse/HBASE-30193
> Project: HBase
> Issue Type: Task
> Affects Versions: 2.6.2, 2.6.4, 2.6.5
> Reporter: Xavier Fernandis
> Assignee: Xavier Fernandis
> Priority: Major
> Labels: CVE-2025-7962, pull-request-available
> Fix For: 2.7.0, 3.0.0-beta-2, 2.5.15, 2.6.6
>
>
> *com.sun.mail:jakarta.mail* is a transitive dependency pulled in via
> {*}com.sun.xml.ws:jaxws-rt:2.3.7{*}. It is not used anywhere in HBase.
> jaxws-rt itself is only used in two modules (hbase-it and
> hbase-dev-generate-classpath), and the only class referenced from its
> dependency chain is javax.xml.ws.http.HTTPException (which comes from
> jakarta.xml.ws-api, not from jakarta.mail).
> Since jakarta.mail is unused and brings in
> [CVE-2025-7962|https://github.com/advisories/GHSA-9342-92gg-6v29] (SMTP
> Injection), it is safe to exclude it from jaxws-rt.
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
