We could fork libthrift and retool the latest source release back to javax and Java 8. Similar to how we maintain patches for protobuf and apply them to fetched source distributions during the builds of hbase-thirdparty, we would do the same for libthrift and then rebase the thrift gateway on a new third party thrift module. While perhaps a fair amount of work it would not break Java 8 compatibility.
Alternatively we could survey users and decide to move on from Java 8 if nobody speaks up otherwise. > On May 28, 2026, at 8:49 AM, Duo Zhang <[email protected]> wrote: > > There is a CVE in libthrift > > https://nvd.nist.gov/vuln/detail/CVE-2026-43869 > > which is fixed in 0.23.0. > > While trying to upgrade it in HBASE-30182, I found that libthrift has > already moved up to jakarta servlet api, instead of javax servlet api, > which makes it impossible to support java 8. > > We can move up to jakarta servlet api on master and branch-3 since we > only need to support java 17 there, and we already have a shaded jetty > 11 in hbase-thirdparty I believe? > But how to deal with branch-2.x? > Any suggestions? > > Thanks.
