[
https://issues.apache.org/jira/browse/HBASE-22499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16851491#comment-16851491
]
Duo Zhang commented on HBASE-22499:
-----------------------------------
I think for new minor releases, we'd better drop the support if there are CVEs.
But for the current minor release lines, by default I prefer that we still
support the hadoop versions even if it has several unfixed CVEs, unless it is a
very very critical one.
> Drop the support for several hadoop releases due to CVE-2018-8029
> -----------------------------------------------------------------
>
> Key: HBASE-22499
> URL: https://issues.apache.org/jira/browse/HBASE-22499
> Project: HBase
> Issue Type: Task
> Reporter: Duo Zhang
> Priority: Major
>
> https://lists.apache.org/thread.html/3d6831c3893cd27b6850aea2feff7d536888286d588e703c6ffd2e82@%3Cuser.hadoop.apache.org%3E
> Versions Affected:
> 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, 2.2.0 to 2.8.4
> So maybe we should drop the several release for 2.8.x and 2.9.x, and drop the
> support for whole 3.0.x release line.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
