[
https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16900452#comment-16900452
]
Andrew Purtell commented on HBASE-22728:
----------------------------------------
bq. if we're going to make downstream deal with removing jackson 1 from the
classpath then we should try to just have no exposed jackson for downstream at
the end of the day.
This is my feedback as well.
I also think we should backport hbase-rest for HBase 2 from hbase-connectors
back to branch-1 so we don't have something using a vulnerable version of
Jackson in branch-1, and do not expose Jackson from this module either.
> Upgrade jackson dependencies in branch-1
> ----------------------------------------
>
> Key: HBASE-22728
> URL: https://issues.apache.org/jira/browse/HBASE-22728
> Project: HBase
> Issue Type: Sub-task
> Affects Versions: 1.4.10, 1.3.5
> Reporter: Andrew Purtell
> Assignee: Viraj Jasani
> Priority: Major
> Fix For: 1.5.0, 1.3.6, 1.4.11
>
> Attachments: HBASE-22728.branch-1.01.patch,
> HBASE-22728.branch-1.02.patch, HBASE-22728.branch-1.04.patch,
> HBASE-22728.branch-1.06.patch, dependency_codehaus.out
>
>
> Avoid Jackson versions and dependencies with known CVEs
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
