[
https://issues.apache.org/jira/browse/HBASE-22499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16851486#comment-16851486
]
Sean Busbey commented on HBASE-22499:
-------------------------------------
oh good! When I saw the announcement I thought I'd end up filing this tomorrow.
:)
The thing that's notable in the CVE announcement, to me, is that there's no fix
coming for Hadoop 3.0.z which means that branch is effectively EOM. So we
should definitely move it to (x) status in the next minor releases (1.5 and
2.2).
By getting into this level of detail on the matrix, are we setting ourselves up
to chase after every CVE release from Hadoop?
What if instead of getting down to particular maintenance releases for CVEs we
add a note that links to the [CVE page for
hadoop|https://hadoop.apache.org/cve_list.html] and notes that downstream folks
should be cognizant of the current CVE list? Not every CVE is applicable to
every deployment (some folks might run HBase without a YARN deployment, for
example).
> Drop the support for several hadoop releases due to CVE-2018-8029
> -----------------------------------------------------------------
>
> Key: HBASE-22499
> URL: https://issues.apache.org/jira/browse/HBASE-22499
> Project: HBase
> Issue Type: Task
> Reporter: Duo Zhang
> Priority: Major
>
> https://lists.apache.org/thread.html/3d6831c3893cd27b6850aea2feff7d536888286d588e703c6ffd2e82@%3Cuser.hadoop.apache.org%3E
> Versions Affected:
> 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, 2.2.0 to 2.8.4
> So maybe we should drop the several release for 2.8.x and 2.9.x, and drop the
> support for whole 3.0.x release line.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
