Thanks Bryan. That does help explain things. I have been looking at https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p and have been trying to determine if hbase is vulnerable to this attack vector or not. I got excited when I saw 4.1.100.Final in 2.5.7 but it sounds like that excitement was misplaced :)
Dan On Tue, Jan 2, 2024 at 12:54 PM Bryan Beaudreault <bbeaudrea...@apache.org> wrote: > Hello, > > As the comment above the netty version change says, this only affects the > transitive netty dependencies from thirdparty dependencies like zookeeper > and hadoop. HBase's internal netty usage (i.e. for HBase's RPC protocol) > uses the shaded netty provided by hbase-thirdparty. > > While you're generally correct that in maven you'd expect a version defined > in dependencyManagement to affect all transitive dependencies, that is not > the case for hbase-thirdparty due to the shading we do there. At the time > of building hbase-thirdparty, the defined netty version there is pulled in > and relocated to org.apache.hbase.thirdparty.io.netty and published as a > new maven module named hbase-shaded-netty. As such, the > dependencyManagement has no effect on it. > > I hope this helps > > On Tue, Jan 2, 2024 at 2:40 PM Dan Huff <dan.h...@dremio.com.invalid> > wrote: > > > Hello there Hbase Devs-- > > > > I have been investigating taking an update to Hbase 2.5.7 after the > release > > last week and have what I hope is a quick question about commit 7639345 > > < > > > https://github.com/apache/hbase/commit/7639345a970636e7a9eb7adf6d84dadd6f3fccb9 > > > > > in > > branch-2.5. > > > > Am I correct in believing that the direct inclusion of netty > 4.1.100.Final > > in Hbase's pom.xml will override the 4.1.97.Final version that is > > specified in hbase-thirdparty > > <https://github.com/apache/hbase-thirdparty/blob/rel/4.1.5/pom.xml#L137 > >? > > I > > see 4.1.100.Final listed on > > https://hbase.apache.org/dependency-management.html which to me suggests > > that I am understanding this correctly that issues flagged against > > 4.1.97.Final can be ignored since Hbase will now just use 4.1.100.Final. > > > > Thanks so much for your time, > > > > Dan Huff > > >