[jira] [Comment Edited] (HBASE-27694) Exclude the older versions of netty pulling from Hadoop dependencies

Wed, 08 Mar 2023 22:38:06 -0800 


    [ 
https://issues.apache.org/jira/browse/HBASE-27694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17698199#comment-17698199
 ] 

Rajeshbabu Chintaguntla edited comment on HBASE-27694 at 3/9/23 6:37 AM:
-------------------------------------------------------------------------

[~zhangduo]
Here are the CVEs reporting by Sonatype:
        [CVE-2019-20444|https://nvd.nist.gov/vuln/detail/CVE-2019-20444]
        [CVE-2019-20445|https://nvd.nist.gov/vuln/detail/CVE-2019-20445]
        [CVE-2019-16869|https://nvd.nist.gov/vuln/detail/CVE-2019-16869]
        [CVE-2020-11612|https://nvd.nist.gov/vuln/detail/CVE-2020-11612]
        [CVE-2021-43797|https://nvd.nist.gov/vuln/detail/CVE-2021-43797]

But seems like Hadoop is still keeping older netty dependency to support  
MiniYARNCluster based test cases I think. Will do full-fledged testing in case 
if we can able to fix the test cases.


was (Author: rajeshbabu):
[~zhangduo]
Here are the CVEs reporting by Sonatype:
        [CVE-2019-20444|https://nvd.nist.gov/vuln/detail/CVE-2019-20444]
        [CVE-2019-20445|https://nvd.nist.gov/vuln/detail/CVE-2019-20445]
        [CVE-2019-16869|https://nvd.nist.gov/vuln/detail/CVE-2019-16869]
        [CVE-2020-11612|https://nvd.nist.gov/vuln/detail/CVE-2020-11612]
        [CVE-2021-43797|https://nvd.nist.gov/vuln/detail/CVE-2021-43797]

But seems like Hadoop is still keeping older netty dependency to support  
MiniYARNCluster based test cases I think. Will double check any possible way to 
fix those and do full-fledged testing in case if we can able to fix the test 
cases.

> Exclude the older versions of netty pulling from Hadoop dependencies
> --------------------------------------------------------------------
>
>                 Key: HBASE-27694
>                 URL: https://issues.apache.org/jira/browse/HBASE-27694
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Rajeshbabu Chintaguntla
>            Assignee: Rajeshbabu Chintaguntla
>            Priority: Major
>             Fix For: 2.6.0, 3.0.0-alpha-4, 2.5.4
>
>
> Currently the netty version of 3.10.6 is getting pulled from hdfs 
> dependencies and sonatype kind of tools reporting the CVEs in HBase. To get 
> rid of this better to exclude netty where hdfs or mapred client jars used.
>  * org.apache.hbase : hbase-it : jar : tests : 2.5.2
>  ** org.apache.hadoop : hadoop-mapreduce-client-core : 3.2.2
>  *** io.netty : netty : 3.10.6.final
>  ** org.apache.hbase : hbase-endpoint : 2.5.2
>  *** org.apache.hadoop : hadoop-hdfs : jar : tests : 3.2.2
>  **** io.netty : netty : 3.10.6.final
>  *** org.apache.hadoop : hadoop-hdfs : 3.2.2
>  **** io.netty : netty : 3.10.6.final
>  * org.apache.hadoop : hadoop-mapreduce-client-jobclient : 3.2.2
>  ** io.netty : netty : 3.10.6.final
>  ** org.apache.hadoop : hadoop-mapreduce-client-common : 3.2.2
>  *** io.netty : netty : 3.10.6.final
>  * org.apache.hadoop : hadoop-mapreduce-client-jobclient : jar : tests : 3.2.2
>  ** io.netty : netty : 3.10.6.final
>  * org.apache.hadoop : hadoop-mapreduce-client-hs : 3.2.2
>  ** io.netty : netty : 3.10.6.final
>  ** org.apache.hadoop : hadoop-mapreduce-client-app : 3.2.2
>  *** io.netty : netty : 3.10.6.final
>  *** org.apache.hadoop : hadoop-mapreduce-client-shuffle : 3.2.2
>  **** io.netty : netty : 3.10.6.final



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to