[
https://issues.apache.org/jira/browse/HADOOP-15960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16704178#comment-16704178
]
Wei-Chiu Chuang commented on HADOOP-15960:
------------------------------------------
Not quite clear where the "afu" class path comes from. I suppose that has to do
with shading which prepend the prefix, but couldn't find any mentioning of
"afu" in Hadoop codebase.
As far as I can tell, HBase compiles against this Hadoop patch (albeit the new
Gauva version adds a few dependencies and I had to explicitly add additional
license text in HBase)
I am running HBase small tests and so far so good.
The tricker question is the transitive guava version used in the YARN ATS
module. That is
{code:title=hadoop-project/pom.xml}
<properties>
<hbase.version>${hbase.two.version}</hbase.version>
<hbase-compatible-hadoop.version>3.0.0</hbase-compatible-hadoop.version>
<hbase-compatible-guava.version>11.0.2</hbase-compatible-guava.version>
<hbase-server-artifactid>hadoop-yarn-server-timelineservice-hbase-server-2</hbase-server-artifactid>
</properties>
{code}
I suppose this guava dependency should get updated too.
> Update guava to 27.0-jre in hadoop-common
> -----------------------------------------
>
> Key: HADOOP-15960
> URL: https://issues.apache.org/jira/browse/HADOOP-15960
> Project: Hadoop Common
> Issue Type: Bug
> Components: common, security
> Affects Versions: 3.1.0
> Reporter: Gabor Bota
> Assignee: Gabor Bota
> Priority: Major
> Attachments: HADOOP-15960.000.WIP.patch
>
>
> com.google.guava:guava should be upgraded to 27.0-jre due to new CVE's found
> [CVE-2018-10237|https://nvd.nist.gov/vuln/detail/CVE-2018-10237].
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
