[ https://issues.apache.org/jira/browse/HBASE-20763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16518567#comment-16518567 ]
Josh Elser commented on HBASE-20763: ------------------------------------ On the bright side, the release notes also look promising for compatibility. Guava has started following a new policy where they will not remove non-Beta API in releases! Skimming the notes from 22.x to 25, nothing nasty jumps out at me. Testing out a local build now. > Update guava >=24.1.1 > --------------------- > > Key: HBASE-20763 > URL: https://issues.apache.org/jira/browse/HBASE-20763 > Project: HBase > Issue Type: Task > Components: thirdparty > Reporter: Josh Elser > Assignee: Josh Elser > Priority: Major > Fix For: thirdparty-2.2.0 > > > We should update Guava in hbase-thirdparty to stop shipping the code cited as > vulnerable in CVE-2018-10237. We do not invoke this code ourselves and users > would have to try pretty hard to use it themselves, but we've seen more > strange things before ;) > Let's just bump up the dependency and move on. -- This message was sent by Atlassian JIRA (v7.6.3#76005)