[jira] [Updated] (HBASE-28943) Remove all jackson 1.x dependencies for hadoop-3 profile, since all jackson 1.x versions have vulnerabilities

[Nihal Jain (Jira)]

     [ 
https://issues.apache.org/jira/browse/HBASE-28943?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nihal Jain updated HBASE-28943:
-------------------------------
    Summary: Remove all jackson 1.x dependencies for hadoop-3 profile, since 
all jackson 1.x versions have vulnerabilities  (was: Remove all jackson 1.x 
dependencies from hadoop-3 profile, since all jackson 1.x versions have 
vulnerabilities)

> Remove all jackson 1.x dependencies for hadoop-3 profile, since all jackson 
> 1.x versions have vulnerabilities
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-28943
>                 URL: https://issues.apache.org/jira/browse/HBASE-28943
>             Project: HBase
>          Issue Type: Task
>          Components: hadoop3, security
>            Reporter: Nihal Jain
>            Assignee: Nihal Jain
>            Priority: Major
>
> Building hbase with hadoop-3 profile requires jackson 1.x jars, which has 
> vulnerabilities. Ideally these should not be needed as with HADOOP-13332 
> hadoop has already "Remove jackson 1.9.13 and switch all jackson code to 2.x 
> code line" for branch-3.
> Also in HBASE-27148, where we worked on "Move minimum hadoop 3 support 
> version to 3.2.3" we had did a similar cleanup for branch-3 but somehow we 
> missed to port the relevant changes to the branch-2 backport of same jira. 
> This task is to take care of this so that we donot need jackson 1.x to 
> build/run hbase with hadoop-3 profile on branch-2.x.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)