[ https://issues.apache.org/jira/browse/HBASE-21791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16753342#comment-16753342 ]
Duo Zhang commented on HBASE-21791: ----------------------------------- All green, good. The way to generate the patch is: 1. Change the thrift.version to 0.12.0 in the root pom.xml. 2. Use the thrift compiler to generate the java code both thrift1 and thrift2. The command is {noformat} thrift --gen java thrift/Hbase.thrift thrift --gen java thrift2/hbase.thrift {noformat} The generated java code files will be placed under the gen-java directory, please move them to the src/main/java directory. Haven't tried to set output directory directly when running thrift command, maybe also fine. Try 'mvn clean install -DskipTests' to see if there are compile errors, if not, we are done. > Upgrade thrift dependency to 0.12.0 > ----------------------------------- > > Key: HBASE-21791 > URL: https://issues.apache.org/jira/browse/HBASE-21791 > Project: HBase > Issue Type: Task > Components: Thrift > Affects Versions: 3.0.0, 1.5.0, 1.3.3, 2.2.0, 1.4.9, 2.1.2, 1.2.10, 2.0.4 > Reporter: Duo Zhang > Assignee: Duo Zhang > Priority: Blocker > Fix For: 3.0.0, 1.5.0, 2.2.0, 1.4.10, 2.1.3, 2.0.5 > > Attachments: HBASE-21791.patch > > > As somebody have already known, that there is a CVE for thrift from 0.5.0 to > 0.11.0. > https://nvd.nist.gov/vuln/detail/CVE-2018-1320 > As the CVE is already public, let's upgrade our thrift dependency and release > new versions ASAP. -- This message was sent by Atlassian JIRA (v7.6.3#76005)