The old hbase-thirdparty is specifically a branch-2.5 issue. As 2.5.12 is a few months off, I think that we could go to 2.6.2 instead which has the latest HBase-thirdparty. All HBase 2.x versions are wire compatible, so it shouldn't be a problem.
On Wed, Mar 19, 2025 at 11:31 AM Sönke Liebau <soenke.lie...@stackable.tech.invalid> wrote: > Hi Istvan, > > as discussed of list, I also ran a scan for a 1.1.3-SNAPSHOT build, and > came to similar results (not a perfect match, but an exact science it ain't > :) > > avro:1.9.2 -> CVE-2024-47561, CVE-2023-394100 > netty-codec-http:4.1.97.Final -> CVE-2024-29025, GHSA-xpw8-rcwv-8f8p > netty-common:4.1.97.Final -> CVE-2024-47535, CVE-2025-25193 > netty-handler:4.1.97.Final -> CVE-2025-24970 > protobuf-java:2.5.0 -> CVE-2021-22569, CVE-2021-22570, CVE-2022-3171, > CVE-2022-3509, CVE-2022-3510, CVE-2024-7254 > > So basically the only thing "extra" in that list is Avro, not sure why > tbh. But that comes in via Hadoop, so nothing to be done there I guess. > > I have posted the results in a spreadsheet here as well: > > https://docs.google.com/spreadsheets/d/11VvFnIgGksun1J3HolV8wpXmPqThI6tZ1R_8UaUAOsE/edit?gid=1478559804#gid=1478559804 > in case anybody is interested. > I've also included the dependency graphs on extra sheets. > > But basically I'd say this is as good as it is gonna get and as you said, > much much much better than 1.1.2 > > Best regards, > Sönke > > On Tue, Mar 18, 2025 at 5:15 PM Istvan Toth <st...@cloudera.com.invalid> > wrote: > > > Thanks for the offer Sönke, but the release process requires permissions > > that only PMCs have and there is only so much you could do without that. > > > > Unfortunately your screenshot didn't make it to my Gmail. > > Can you attach it or copy-paste the text version ? > > > > Yes, most (on master all) CVEs are transitive from Hadoop and HBase, and > > the new versions are still significantly better than 1.1.2 > > > > I've run *mvn clean verify -Powasp-dependency-check -DnvdApiKey=<mykey> * > > to > > get the CVE list > > (You need to update the OWASP plugin version to 11.0.2 , and use at least > > Java 11) > > > > I don't want to copy paste it here because it's huge, but it's basically: > > > > - protobuf 2.5.0. which cannot do anything about until Hbase 3 > > - Netty 4.1.97 Final from hbase-thirdparty 4.1.5 > > - Jetty 9.4.52 from hbase-thirdparty 4.1.5 > > - Netty 4.1.100 from Hadoop (see OMID-302) > > - Jetty websocket 9.4.53 from Hadoop. > > > > Not ideal, but MUCH better than 1.1.2, which has about a dozen more > > components with CVEs, many of them REALLY old from Hadoop 3.4.2. > > (HBase should probably have bumped the thirdparty version before > releasing > > 2.5.11, but it's too late now) > > > > Due to the Hadoop->HBase->Omid release timelines, it's unlikely that we'd > > ever get a fully CVE free release, but we should make an effort at least. > > > > Istvan > > > > > > > > On Tue, Mar 18, 2025 at 2:31 PM Sönke Liebau > > <soenke.lie...@stackable.tech.invalid> wrote: > > > > > Hi Istvan, > > > > > > I have taken a brief look at the results of our vulnerability scanning, > > > and while Omid doesn't fare too well there, I think a lot of the > > > vulnerabilities we cannot do much about. > > > > > > 48 of the critical ones are due to jackson databind 2.4.0 which is > still > > > pulled in by the Hadoop version that is used by the HBase version omid > > uses > > > (I believe also in the updated version for 1.1.3) which we can't do > much > > > about in this project I guess.. > > > > > > > > > [image: image.png] > > > > > > Quite a few of the other vulnerabilities also come in via dependencies > of > > > Hadoop, so may vanish with the update. I am happy to build and scan an > > > image with the current master branch to get a comparison and see if > there > > > are any low hanging fruits remaining, but you probably did that already > > > yourself? > > > > > > Also, I'd be happy to help with the release, if there is documentation > > > that could guide me along the way I could be persuaded to be the > release > > > manager as well, but that may end up just meaning a lot of questions > for > > > everybody else :) > > > > > > Best regards, > > > Sönke > > > > > > > > > > > > On Tue, Mar 18, 2025 at 10:26 AM Istvan Toth <st...@apache.org> wrote: > > > > > >> Hi! > > >> > > >> As we're preparing for Phoenix 5.2.2, I have identified a few > transitive > > >> CVEs from Omid. > > >> The last Phoenix release was a year ago, and there are more than a > dozen > > >> unreleased CVE, build, and dependency version fixes on the master > > branch. > > >> > > >> I propose releasing Omid 1.1.3 from the current master branch. > > >> > > >> Do you have any objections ? > > >> Are there any open issues that should be fixed for 1.1.3 ? > > >> If we decide to release, would anyone volunteer to be the 1.1.3 > Release > > >> Manager ? > > >> > > >> Istvan > > >> > > > > > > > -- > > *István Tóth* | Sr. Staff Software Engineer > > *Email*: st...@cloudera.com > > cloudera.com <https://www.cloudera.com> > > [image: Cloudera] <https://www.cloudera.com/> > > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > Cloudera > > on LinkedIn] <https://www.linkedin.com/company/cloudera> > > ------------------------------ > > ------------------------------ > > > -- *István Tóth* | Sr. Staff Software Engineer *Email*: st...@cloudera.com cloudera.com <https://www.cloudera.com> [image: Cloudera] <https://www.cloudera.com/> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> ------------------------------ ------------------------------
