[
https://issues.apache.org/jira/browse/HBASE-21791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16761051#comment-16761051
]
Andrew Purtell edited comment on HBASE-21791 at 2/5/19 5:45 PM:
----------------------------------------------------------------
[~toffer] If you want to put this in 1.3 it needs to go into 1.4 too I'd say. I
had no plans to apply this to 1.4 myself but no objections to that from me
either. There is no wire compatibility issue as far as community testing has
revealed and although it has potential downstream knock on effects I think the
security concerns are more important. We made a similar trade off when removing
Bytes API methods that did unsafe object deserialization a while back.
was (Author: apurtell):
[~toffer] If you want to put this in 1.3 it needs to go into 1.4 too I'd say,
no objections to that from me. There is no wire compatibility issue as far as
community testing has revealed and although it has potential downstream knock
on effects I think the security concerns are more important. We made a similar
trade off when removing Bytes API methods that did unsafe object
deserialization a while back.
> Upgrade thrift dependency to 0.12.0
> -----------------------------------
>
> Key: HBASE-21791
> URL: https://issues.apache.org/jira/browse/HBASE-21791
> Project: HBase
> Issue Type: Task
> Components: Thrift
> Affects Versions: 3.0.0, 1.5.0, 1.3.3, 2.2.0, 1.4.9, 2.1.2, 1.2.10, 2.0.4
> Reporter: Duo Zhang
> Assignee: Duo Zhang
> Priority: Blocker
> Fix For: 3.0.0, 1.5.0, 2.2.0, 2.1.3, 2.0.5, 2.3.0
>
> Attachments: HBASE-21791-branch-1.patch,
> HBASE-21791-branch-2.1.patch, HBASE-21791.patch
>
>
> As somebody have already known, that there is a CVE for thrift from 0.5.0 to
> 0.11.0.
> https://nvd.nist.gov/vuln/detail/CVE-2018-1320
> As the CVE is already public, let's upgrade our thrift dependency and release
> new versions ASAP.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
