[
https://issues.apache.org/jira/browse/PHOENIX-7163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17806842#comment-17806842
]
Istvan Toth edited comment on PHOENIX-7163 at 1/15/24 2:09 PM:
---------------------------------------------------------------
We have two options:
- Either we need to dependency-manage commons-text as well (which we do not use)
- Or we need to use my original approach, and remove the commons-configuration2
direct dependency declaration, and rely on the transitive dependency from
Hadoop, which will pick up the (potentially fixed) version from Hadoop.
was (Author: stoty):
We have two options:
- Either we need to dependency-manage commons-text as well (which we do not use)
- Or we need to use my original approach, and remove the commons-configuration
direct dependency declaration, and rely on the transitive dependency from
Hadoop, which will pick up the version from hadoop.
> Update commons-configuration2 to 2.8.0
> --------------------------------------
>
> Key: PHOENIX-7163
> URL: https://issues.apache.org/jira/browse/PHOENIX-7163
> Project: Phoenix
> Issue Type: Bug
> Components: core
> Affects Versions: 5.2.0, 5.1.4
> Reporter: Istvan Toth
> Assignee: Istvan Toth
> Priority: Major
> Fix For: 5.2.0, 5.1.4
>
>
> We are using commons-configurations2 for the Hadoop metrics code, because
> that Hadoop API is badly broken.
> Because of this, I have added dependency management for that dependency.
> We are setting an old version, which is known to have CVEs.
> -Remove the dependency managment so that we can pick up any possible future
> fixes from Hadoop instead.-
> Hadoop has updated to 2.8.0 without any code changes.
> Since we only add this for the Hadoop API leak , we may update to 2.8.0 just
> as well.
> It is also not needed in hbase-server and hbase-mapreduce, as it is provided
> by the expected Hadoop on the classpath.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
