Hi devs, I'm working on the guava version from 11.0.2 to 27.0-jre in hadoop-project. We need to do the upgrade because of CVE-2018-10237 <https://nvd.nist.gov/vuln/detail/CVE-2018-10237>.
I've created an issue (HADOOP-15960 <https://issues.apache.org/jira/browse/HADOOP-15960>) to track progress and created subtasks for hadoop branches 3.0, 3.1, 3.2 and trunk. The first update should be done in the trunk, and then it can be backported to lower version branches. Backporting to 2.x is not feasible right now, because of Guava 20 is the last Java 7 compatible version[1], and we have Java 7 compatibility on version 2 branches - but we are planning to update ( HADOOP-16219 <https://issues.apache.org/jira/browse/HADOOP-16219>). For the new deprecations after the update, I've created another issue ( HADOOP-16222 <https://issues.apache.org/jira/browse/HADOOP-16222>). Those can be fixed after the update is committed. Unit and integration testing in hadoop trunk There were modifications in the test in the following modules so precommit tests were running on jenkins: - hadoop-common-project - hadoop-hdfs-project - hadoop-mapreduce-project - hadoop-yarn-project There was one failure but after re-running the test locally it was successful, so not related to the change. Because of 5 hour test time limit for jenkins precommit build, I had to run tests on hadoop-tools manually and the tests were successful. You can find test results for trunk under HADOOP-16210 <https://issues.apache.org/jira/browse/HADOOP-16210>. Integration testing with other components I've done testing with HBase master on hadoop branch-3.0 with guava 27, and the tests were running fine. Thanks to Peter Somogyi for help. We are planning to do some testing with Peter Vary on Hive with branch-3.1 this week. Thanks, Gabor [1] https://groups.google.com/forum/#!msg/guava-discuss/ZRmDJnAq9T0/-HExv44eCAAJ