[jira] [Commented] (HBASE-30193) Exclude transitive jakarta.mail dependency (CVE-2025-7962)

Wed, 03 Jun 2026 09:12:42 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-30193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18085842#comment-18085842
 ] 

Hudson commented on HBASE-30193:
--------------------------------

Results for branch branch-2.5
        [build #40 on 
builds.a.o|https://ci-hbase.apache.org/job/HBase-Backwards-Compatibility-Test/job/branch-2.5/40/]:
 (/) *{color:green}+1 overall{color}*
----
Backwards compatibility checks:
(/) {color:green}+1 jdk17 hadoop 3.2.4 backward compatibility checks{color}
-- For more information [see jdk17 
report|https://ci-hbase.apache.org/job/HBase-Backwards-Compatibility-Test/job/branch-2.5/40/console]


(/) {color:green}+1 jdk17 hadoop 3.3.5 backward compatibility checks{color}
-- For more information [see jdk17 
report|https://ci-hbase.apache.org/job/HBase-Backwards-Compatibility-Test/job/branch-2.5/40/console]


(/) {color:green}+1 jdk17 hadoop 3.3.6 backward compatibility checks{color}
-- For more information [see jdk17 
report|https://ci-hbase.apache.org/job/HBase-Backwards-Compatibility-Test/job/branch-2.5/40/console]


(/) {color:green}+1 jdk17 hadoop 3.4.0 backward compatibility checks{color}
-- For more information [see jdk17 
report|https://ci-hbase.apache.org/job/HBase-Backwards-Compatibility-Test/job/branch-2.5/40/console]


(/) {color:green}+1 jdk17 hadoop 3.4.1 backward compatibility checks{color}
-- For more information [see jdk17 
report|https://ci-hbase.apache.org/job/HBase-Backwards-Compatibility-Test/job/branch-2.5/40/console]


(/) {color:green}+1 jdk17 hadoop 3.4.2 backward compatibility checks{color}
-- For more information [see jdk17 
report|https://ci-hbase.apache.org/job/HBase-Backwards-Compatibility-Test/job/branch-2.5/40/console]


> Exclude transitive jakarta.mail dependency (CVE-2025-7962)
> ----------------------------------------------------------
>
>                 Key: HBASE-30193
>                 URL: https://issues.apache.org/jira/browse/HBASE-30193
>             Project: HBase
>          Issue Type: Task
>    Affects Versions: 2.6.2, 2.6.4, 2.6.5
>            Reporter: Xavier Fernandis
>            Assignee: Xavier Fernandis
>            Priority: Major
>              Labels: CVE-2025-7962, pull-request-available
>             Fix For: 2.7.0, 3.0.0-beta-2, 2.5.15, 2.6.6
>
>
> *com.sun.mail:jakarta.mail* is a transitive dependency pulled in via 
> {*}com.sun.xml.ws:jaxws-rt:2.3.7{*}. It is not used anywhere in HBase.
> jaxws-rt itself is only used in two modules (hbase-it and 
> hbase-dev-generate-classpath), and the only class referenced from its 
> dependency chain is javax.xml.ws.http.HTTPException (which comes from 
> jakarta.xml.ws-api, not from jakarta.mail).
> Since jakarta.mail is unused and brings in 
> [CVE-2025-7962|https://github.com/advisories/GHSA-9342-92gg-6v29] (SMTP 
> Injection), it is safe to exclude it from jaxws-rt.
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to