[
https://issues.apache.org/jira/browse/HBASE-23828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17034779#comment-17034779
]
Norbert Kalmár commented on HBASE-23828:
----------------------------------------
As to why it is a bad thing having guava 11.0.2 on the classpath:
[CVE-2018-10237|https://nvd.nist.gov/vuln/detail/CVE-2018-10237] "Unbounded
memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote
attackers to conduct denial of service attacks against servers that depend on
this library and [...]"
> Remove unused hadoop.guava.version from pom.xml
> -----------------------------------------------
>
> Key: HBASE-23828
> URL: https://issues.apache.org/jira/browse/HBASE-23828
> Project: HBase
> Issue Type: Improvement
> Reporter: Norbert Kalmár
> Assignee: Norbert Kalmár
> Priority: Major
>
> <hadoop.guava.version>11.0.2</hadoop.guava.version>
> is still used in hbase-backup, I missed it at first...
> So, this should be either updated or removed.
> Checking which is feasible...
> Update:
> So even if I remove hadoop.guava.version, with hadoop-2 profile, 11.0.2 will
> be used during the build, and it will be on the classpath.
> Since hadoop only upgraded to guava 27.0 in hadoop-3, I'm not sure what we
> can do here. hadoop-2 is incompatible with guava 2x.x versions.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
