Hi Hadoop developers, I've always had this question and I don't know the answer.
For the last few months I finally spent time to deal with the vulnerability reports from our internal dependency check tools. Say in HADOOP-16152 <https://issues.apache.org/jira/browse/HADOOP-16152> we update Jetty from 9.3.27 to 9.4.20 because of CVE-2019-16869, should I cherrypick the fix into all lower releases? This is not a trivial change, and it breaks downstreams like Tez. On the other hand, it doesn't seem reasonable if I put this fix only in trunk, and left older releases vulnerable. What's the expectation of downstream applications w.r.t breaking compatibility vs fixing security issues? Thoughts?