[ https://issues.apache.org/jira/browse/HBASE-25214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Busbey resolved HBASE-25214. --------------------------------- Resolution: Duplicate This is a duplicate of HBASE-24802. Please follow our work over there. Help in testing out the solution would be appreciated. > about hbase introduced fasterxml‘s jackson versions and vulnerabilities > ------------------------------------------------------------------------ > > Key: HBASE-25214 > URL: https://issues.apache.org/jira/browse/HBASE-25214 > Project: HBase > Issue Type: Improvement > Reporter: openlookeng > Priority: Blocker > > a lot of hbase component use htrace-core4, this htrace-core4 shaded fasterxml > jackson(version 2.4.0) > [INFO] | +- > org.apache.hbase.thirdparty:hbase-shaded-miscellaneous:jar:2.2.1:compile > [INFO] | +- org.slf4j:slf4j-api:jar:1.7.29:compile > [INFO] | +- commons-io:commons-io:jar:2.6:compile > [INFO] | +- > {color:#ff0000}org.apache.htrace:htrace-core4:jar:4.2.0-incubating:compile{color} > [INFO] | +- org.apache.commons:commons-crypto:jar:1.0.0:compile > [INFO] | +- > com.github.stephenc.findbugs:findbugs-annotations:jar:1.3.9-1:compile > [INFO] | +- log4j:log4j:jar:1.2.17:compile > [INFO] | - org.apache.yetus:audience-annotations:jar:0.5.0:compile > > as you known fasterxml jackson component is frequently coming out new > vulnerabilities, like > CVE-2016-7051、CVE-2016-3720、CVE-2018-5968、CVE-2018-11307、CVE-2018-7489、CVE-2019-14893、CVE-2019-14379、CVE-2020-14195、CVE-2020-14061、CVE-2020-8840、CVE-2019-14540、CVE-2020-10968、CVE-2020-11619、CVE-2019-17531、CVE-2019-16943、CVE-2020-14062、CVE-2020-14060、CVE-2020-11111、CVE-2019-16942、CVE-2020-9546、CVE-2020-9548、CVE-2019-12384、CVE-2020-10673、CVE-2020-24750、CVE-2019-16335、CVE-2019-14439、CVE-2020-10969、CVE-2020-11112、CVE-2019-12086、CVE-2019-20330、CVE-2019-17267、CVE-2020-9547、CVE-2020-11113、CVE-2020-10672、CVE-2020-11620、CVE-2020-24616、CVE-2018-19362、CVE-2018-19361、CVE-2018-19360、CVE-2018-14721、CVE-2018-14720、CVE-2018-14719、CVE-2018-14718、CVE-2018-1000873、CVE-2017-7525、CVE-2017-17485、CVE-2017-15095,CVE-2019-12814 > htrace-core4 is closed 4 years ago, what about this component's > vulnerabilities, did hbase have plan to do with this? > > > -- This message was sent by Atlassian Jira (v8.3.4#803005)