XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.4.10, 1.3.5, 1.3.6
    • Fix Version/s: 1.5.0, 1.3.6, 1.4.11
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      1. Stopped using Jackson1(org.codehaus.jackson*) in HBase code base.
      2. Upgraded to Jackson2(com.fasterxml.jackson*) instead.
      3. Stopped exposing vulnerable Jackson1 dependencies (org.codehaus.jackson:jackson-mapper-asl:1.9.13) so that downstreamers would not pull it in from HBase.
      4. However, since Hadoop requires this dependency, put vulnerable jackson at compile scope in hbase-assembly module so that HBase tarball contains this mapper jar in lib. Still, downsteam applications can't pull in Jackson1 from HBase.
      5. Upgraded maven assembly plugin to 3.1.1.
      Show
      1. Stopped using Jackson1(org.codehaus.jackson*) in HBase code base. 2. Upgraded to Jackson2(com.fasterxml.jackson*) instead. 3. Stopped exposing vulnerable Jackson1 dependencies (org.codehaus.jackson:jackson-mapper-asl:1.9.13) so that downstreamers would not pull it in from HBase. 4. However, since Hadoop requires this dependency, put vulnerable jackson at compile scope in hbase-assembly module so that HBase tarball contains this mapper jar in lib. Still, downsteam applications can't pull in Jackson1 from HBase. 5. Upgraded maven assembly plugin to 3.1.1.

      Description

      Avoid Jackson versions and dependencies with known CVEs

        Attachments

        1. HBASE-22728.branch-1.19.patch
          139 kB
          Viraj Jasani
        2. HBASE-22728.branch-1.18.patch
          138 kB
          Viraj Jasani
        3. HBASE-22728.branch-1.16.patch
          137 kB
          Viraj Jasani
        4. HBASE-22728.branch-1.15.patch
          137 kB
          Viraj Jasani
        5. HBASE-22728-addendum.patch
          2 kB
          Andrew Kyle Purtell
        6. HBASE-22728.branch-1.14.patch
          79 kB
          Viraj Jasani
        7. HBASE-22728-addendum.patch
          2 kB
          Andrew Kyle Purtell
        8. HBASE-22728.branch-1.12.patch
          94 kB
          Viraj Jasani
        9. HBASE-22728.branch-1.11.patch
          92 kB
          Viraj Jasani
        10. HBASE-22728.branch-1.10.patch
          78 kB
          Viraj Jasani
        11. HBASE-22728.branch-1.06.patch
          55 kB
          Viraj Jasani
        12. HBASE-22728.branch-1.04.patch
          55 kB
          Viraj Jasani
        13. HBASE-22728.branch-1.02.patch
          16 kB
          Viraj Jasani
        14. HBASE-22728.branch-1.01.patch
          17 kB
          Viraj Jasani

          Issue Links

            Activity

              People

              • Assignee:
                vjasani Viraj Jasani
                Reporter:
                apurtell Andrew Kyle Purtell
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: