[jira] [Commented] (HBASE-23828) Remove unused hadoop.guava.version from pom.xml
[ https://issues.apache.org/jira/browse/HBASE-23828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034779#comment-17034779 ] Norbert Kalmár commented on HBASE-23828: As to why it is a bad thing having guava 11.0.2 on the classpath: [CVE-2018-10237|https://nvd.nist.gov/vuln/detail/CVE-2018-10237] "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and [...]" > Remove unused hadoop.guava.version from pom.xml > --- > > Key: HBASE-23828 > URL: https://issues.apache.org/jira/browse/HBASE-23828 > Project: HBase > Issue Type: Improvement >Reporter: Norbert Kalmár >Assignee: Norbert Kalmár >Priority: Major > > 11.0.2 > is still used in hbase-backup, I missed it at first... > So, this should be either updated or removed. > Checking which is feasible... > Update: > So even if I remove hadoop.guava.version, with hadoop-2 profile, 11.0.2 will > be used during the build, and it will be on the classpath. > Since hadoop only upgraded to guava 27.0 in hadoop-3, I'm not sure what we > can do here. hadoop-2 is incompatible with guava 2x.x versions. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-23828) Remove unused hadoop.guava.version from pom.xml
[ https://issues.apache.org/jira/browse/HBASE-23828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034774#comment-17034774 ] Norbert Kalmár commented on HBASE-23828: Great, thanks [~busbey]! > Remove unused hadoop.guava.version from pom.xml > --- > > Key: HBASE-23828 > URL: https://issues.apache.org/jira/browse/HBASE-23828 > Project: HBase > Issue Type: Improvement >Reporter: Norbert Kalmár >Assignee: Norbert Kalmár >Priority: Major > > 11.0.2 > is still used in hbase-backup, I missed it at first... > So, this should be either updated or removed. > Checking which is feasible... > So even if I remove hadoop.guava.version, with hadoop-2 profile, 11.0.2 will > be used during the build, and it will be on the classpath. > Since hadoop only upgraded to guava 27.0 in hadoop-3, I'm not sure what we > can do here. hadoop-2 is incompatible with guava 2x.x versions. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-23828) Remove unused hadoop.guava.version from pom.xml
[ https://issues.apache.org/jira/browse/HBASE-23828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034719#comment-17034719 ] Sean Busbey commented on HBASE-23828: - this is a very good reason for me to push on my desire for hbase 3 to drop Hadoop 2 support entirely. let me get my DISCUSS thread going on dev. maybe by tomorrow? > Remove unused hadoop.guava.version from pom.xml > --- > > Key: HBASE-23828 > URL: https://issues.apache.org/jira/browse/HBASE-23828 > Project: HBase > Issue Type: Improvement >Reporter: Norbert Kalmár >Assignee: Norbert Kalmár >Priority: Major > > 11.0.2 > is still used in hbase-backup, I missed it at first... > So, this should be either updated or removed. > Checking which is feasible... > So even if I remove hadoop.guava.version, with hadoop-2 profile, 11.0.2 will > be used during the build, and it will be on the classpath. > Since hadoop only upgraded to guava 27.0 in hadoop-3, I'm not sure what we > can do here. hadoop-2 is incompatible with guava 2x.x versions. -- This message was sent by Atlassian Jira (v8.3.4#803005)