[
https://issues.apache.org/jira/browse/HBASE-30194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18085279#comment-18085279
]
Andrew Kyle Purtell commented on HBASE-30194:
---------------------------------------------
[~zhangduo] [~paksyd]
> [thirdparty] Onboard libthrift to hbase-thirdparty
> --------------------------------------------------
>
> Key: HBASE-30194
> URL: https://issues.apache.org/jira/browse/HBASE-30194
> Project: HBase
> Issue Type: Improvement
> Reporter: Andrew Kyle Purtell
> Assignee: Andrew Kyle Purtell
> Priority: Major
>
> There is a CVE in libthrift
> [https://nvd.nist.gov/vuln/detail/CVE-2026-43869]
> which is fixed in 0.23.0.
> While trying to upgrade it in HBASE-30182, Duo found that libthrift has moved
> up to jakarta servlet api, which makes it impossible to support java 8. We
> can move up to jakarta servlet api on master and branch-3 since we only need
> to support java 17 there, and we already have a shaded jetty 11. However we
> need a story for branch-2/2.5/2.6.
> The approach I would like to take is forking libthrift 0.23.0 (or latest) and
> retooling its source release back to javax and Java 8. Similar to how we
> maintain patches for protobuf and apply them to fetched source distributions
> during the thirdparty build, we would do exactly the same for libthrift and
> then rebase the thrift gateway on a new third party thrift module. While
> perhaps a fair amount of work it would not break Java 8 compatibility. It
> handles thrift just like protobuf, which is a clean symmetry.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
