[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304998#comment-17304998 ]
Norbert Kalmár commented on HBASE-25568: ---------------------------------------- 2.3 (soon 2.4?) is the current stable branch, and there's a CVE on thrift version used in those versions, so I would say that's a plus towards backporting. And there's a good chance there will bu further CVE reported for 0.13 IMHO. But let's wait and see what the veterans think. This is my non-binding opinion. > Upgrade Thrift jar to fix CVE-2020-13949 > ---------------------------------------- > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift > Reporter: Pankaj Kumar > Assignee: Pankaj Kumar > Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)