[jira] [Commented] (HBASE-22728) Upgrade jackson dependencies in branch-1

Tue, 13 Aug 2019 16:41:39 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16906719#comment-16906719
 ] 

Andrew Purtell commented on HBASE-22728:
----------------------------------------

Not quite. Every process prints these warnings

{noformat}
2019-08-13 16:32:34,147 WARN  [main] fs.FileSystem: Cannot load filesystem: 
java.util.ServiceConfigurationError: org.apache.hadoop.fs.FileSystem: Provider 
org.apache.hadoop.hdfs.web.WebHdfsFileSystem could not be instantiated
2019-08-13 16:32:34,147 WARN  [main] fs.FileSystem: 
java.lang.NoClassDefFoundError: org/codehaus/jackson/map/ObjectMapper
2019-08-13 16:32:34,147 WARN  [main] fs.FileSystem: 
java.lang.ClassNotFoundException: org.codehaus.jackson.map.ObjectMapper
2019-08-13 16:32:34,148 WARN  [main] fs.FileSystem: Cannot load filesystem: 
java.util.ServiceConfigurationError: org.apache.hadoop.fs.FileSystem: Provider 
org.apache.hadoop.hdfs.web.SWebHdfsFileSystem could not be instantiated
2019-08-13 16:32:34,149 WARN  [main] fs.FileSystem: 
java.lang.NoClassDefFoundError: org.apache.hadoop.hdfs.web.WebHdfsFileSystem
{noformat}

They aren't harmful but will result in bug reports.

Including the vulnerable mapper in our convenience binaries is fine albeit we 
will want to call this out in a release note. It is Hadoop's requirement. 

I think it's good enough to ensure hbase-client and its in project dependencies 
(hbase-annotation, hbase-protocol, etc.) does not surprise by pulling in a 
vulnerable version into a downstream project transitively.

> Upgrade jackson dependencies in branch-1
> ----------------------------------------
>
>                 Key: HBASE-22728
>                 URL: https://issues.apache.org/jira/browse/HBASE-22728
>             Project: HBase
>          Issue Type: Sub-task
>    Affects Versions: 1.4.10, 1.3.5
>            Reporter: Andrew Purtell
>            Assignee: Viraj Jasani
>            Priority: Major
>             Fix For: 1.5.0, 1.3.6, 1.4.11
>
>         Attachments: HBASE-22728-addendum.patch, HBASE-22728-addendum.patch, 
> HBASE-22728.branch-1.01.patch, HBASE-22728.branch-1.02.patch, 
> HBASE-22728.branch-1.04.patch, HBASE-22728.branch-1.06.patch, 
> HBASE-22728.branch-1.10.patch, HBASE-22728.branch-1.11.patch, 
> HBASE-22728.branch-1.12.patch, HBASE-22728.branch-1.14.patch, 
> HBASE-22728.branch-1.15.patch, HBASE-22728.branch-1.16.patch
>
>
> Avoid Jackson versions and dependencies with known CVEs



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to