Andrew Kyle Purtell created HBASE-30194:
-------------------------------------------
Summary: [thirdparty] Onboard libthrift to hbase-thirdparty
Key: HBASE-30194
URL: https://issues.apache.org/jira/browse/HBASE-30194
Project: HBase
Issue Type: Improvement
Reporter: Andrew Kyle Purtell
Assignee: Andrew Kyle Purtell
There is a CVE in libthrift
[https://nvd.nist.gov/vuln/detail/CVE-2026-43869]
which is fixed in 0.23.0.
While trying to upgrade it in HBASE-30182, Duo found that libthrift has moved
up to jakarta servlet api, which makes it impossible to support java 8. We can
move up to jakarta servlet api on master and branch-3 since we only need to
support java 17 there, and we already have a shaded jetty 11. However we need a
story for branch-2/2.5/2.6.
The approach I would like to take is forking libthrift 0.23.0 (or latest) and
retooling its source release back to javax and Java 8. Similar to how we
maintain patches for protobuf and apply them to fetched source distributions
during the thirdparty build, we would do exactly the same for libthrift and
then rebase the thrift gateway on a new third party thrift module. While
perhaps a fair amount of work it would not break Java 8 compatibility. It
handles thrift just like protobuf, which is a clean symmetry.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
