[
https://issues.apache.org/jira/browse/HBASE-21282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16646550#comment-16646550
]
Josh Elser commented on HBASE-21282:
------------------------------------
[~stack] not to bother you twice in one day about the same thing but... Another
dependency upgrade for 2.0. This is non-test related, but there are open CVEs
against these versions of Jetty. Now, none of the CVEs appeared to be somethign
that would directly impact us, but systems will flag them nonetheless. Just
wanted to make sure I painted a clear picture and didn't just assume you did
not want this for 2.0
[~Apache9], another one for 2.1
> Upgrade Jetty dependencies to latest in major-line
> --------------------------------------------------
>
> Key: HBASE-21282
> URL: https://issues.apache.org/jira/browse/HBASE-21282
> Project: HBase
> Issue Type: Task
> Components: dependencies
> Reporter: Josh Elser
> Assignee: Josh Elser
> Priority: Major
> Fix For: 3.0.0, 2.2.0, 2.0.3, 2.1.2
>
> Attachments: HBASE-21282.001.branch-2.0.patch
>
>
> Looks like we have dependencies on both jetty 9.2 and 9.3, but we're lagging
> pretty far behind in both. We can upgrade both of these to the latest (august
> 2018).
>
> I'll also have to take a look at why we're using two separate versions (maybe
> we didn't want to switch from jetty-jsp to apache-jsp on 9.2->9.3?). Not sure
> if there's a good reason for this.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
