[
https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16906719#comment-16906719
]
Andrew Purtell edited comment on HBASE-22728 at 8/13/19 11:58 PM:
------------------------------------------------------------------
Not quite. Every process prints these warnings
{noformat}
2019-08-13 16:32:34,147 WARN [main] fs.FileSystem: Cannot load filesystem:
java.util.ServiceConfigurationError: org.apache.hadoop.fs.FileSystem: Provider
org.apache.hadoop.hdfs.web.WebHdfsFileSystem could not be instantiated
2019-08-13 16:32:34,147 WARN [main] fs.FileSystem:
java.lang.NoClassDefFoundError: org/codehaus/jackson/map/ObjectMapper
2019-08-13 16:32:34,147 WARN [main] fs.FileSystem:
java.lang.ClassNotFoundException: org.codehaus.jackson.map.ObjectMapper
2019-08-13 16:32:34,148 WARN [main] fs.FileSystem: Cannot load filesystem:
java.util.ServiceConfigurationError: org.apache.hadoop.fs.FileSystem: Provider
org.apache.hadoop.hdfs.web.SWebHdfsFileSystem could not be instantiated
2019-08-13 16:32:34,149 WARN [main] fs.FileSystem:
java.lang.NoClassDefFoundError: org.apache.hadoop.hdfs.web.WebHdfsFileSystem
{noformat}
They aren't harmful but will result in bug reports.
Including the vulnerable mapper in our convenience binaries is fine albeit we
will want to call this out in a release note. It is Hadoop's requirement.
I think it's good enough to ensure hbase-client and its in project dependencies
(hbase-annotation, hbase-protocol, etc.) does not surprise by pulling in a
vulnerable version into a downstream project transitively.
Edit: And we have to make sure we don't use the vulnerable version in
hbase-rest too, of course.
was (Author: apurtell):
Not quite. Every process prints these warnings
{noformat}
2019-08-13 16:32:34,147 WARN [main] fs.FileSystem: Cannot load filesystem:
java.util.ServiceConfigurationError: org.apache.hadoop.fs.FileSystem: Provider
org.apache.hadoop.hdfs.web.WebHdfsFileSystem could not be instantiated
2019-08-13 16:32:34,147 WARN [main] fs.FileSystem:
java.lang.NoClassDefFoundError: org/codehaus/jackson/map/ObjectMapper
2019-08-13 16:32:34,147 WARN [main] fs.FileSystem:
java.lang.ClassNotFoundException: org.codehaus.jackson.map.ObjectMapper
2019-08-13 16:32:34,148 WARN [main] fs.FileSystem: Cannot load filesystem:
java.util.ServiceConfigurationError: org.apache.hadoop.fs.FileSystem: Provider
org.apache.hadoop.hdfs.web.SWebHdfsFileSystem could not be instantiated
2019-08-13 16:32:34,149 WARN [main] fs.FileSystem:
java.lang.NoClassDefFoundError: org.apache.hadoop.hdfs.web.WebHdfsFileSystem
{noformat}
They aren't harmful but will result in bug reports.
Including the vulnerable mapper in our convenience binaries is fine albeit we
will want to call this out in a release note. It is Hadoop's requirement.
I think it's good enough to ensure hbase-client and its in project dependencies
(hbase-annotation, hbase-protocol, etc.) does not surprise by pulling in a
vulnerable version into a downstream project transitively.
> Upgrade jackson dependencies in branch-1
> ----------------------------------------
>
> Key: HBASE-22728
> URL: https://issues.apache.org/jira/browse/HBASE-22728
> Project: HBase
> Issue Type: Sub-task
> Affects Versions: 1.4.10, 1.3.5
> Reporter: Andrew Purtell
> Assignee: Viraj Jasani
> Priority: Major
> Fix For: 1.5.0, 1.3.6, 1.4.11
>
> Attachments: HBASE-22728-addendum.patch, HBASE-22728-addendum.patch,
> HBASE-22728.branch-1.01.patch, HBASE-22728.branch-1.02.patch,
> HBASE-22728.branch-1.04.patch, HBASE-22728.branch-1.06.patch,
> HBASE-22728.branch-1.10.patch, HBASE-22728.branch-1.11.patch,
> HBASE-22728.branch-1.12.patch, HBASE-22728.branch-1.14.patch,
> HBASE-22728.branch-1.15.patch, HBASE-22728.branch-1.16.patch
>
>
> Avoid Jackson versions and dependencies with known CVEs
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
