[ https://issues.apache.org/jira/browse/HBASE-23828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17034779#comment-17034779 ]
Norbert Kalmár commented on HBASE-23828: ---------------------------------------- As to why it is a bad thing having guava 11.0.2 on the classpath: [CVE-2018-10237|https://nvd.nist.gov/vuln/detail/CVE-2018-10237] "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and [...]" > Remove unused hadoop.guava.version from pom.xml > ----------------------------------------------- > > Key: HBASE-23828 > URL: https://issues.apache.org/jira/browse/HBASE-23828 > Project: HBase > Issue Type: Improvement > Reporter: Norbert Kalmár > Assignee: Norbert Kalmár > Priority: Major > > <hadoop.guava.version>11.0.2</hadoop.guava.version> > is still used in hbase-backup, I missed it at first... > So, this should be either updated or removed. > Checking which is feasible... > Update: > So even if I remove hadoop.guava.version, with hadoop-2 profile, 11.0.2 will > be used during the build, and it will be on the classpath. > Since hadoop only upgraded to guava 27.0 in hadoop-3, I'm not sure what we > can do here. hadoop-2 is incompatible with guava 2x.x versions. -- This message was sent by Atlassian Jira (v8.3.4#803005)