[
https://issues.apache.org/jira/browse/HBASE-21791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16761051#comment-16761051
]
Andrew Purtell commented on HBASE-21791:
----------------------------------------
[~toffer] If you want to put this in 1.3 it needs to go into 1.4 too I'd say,
no objections to that from me. There is no wire compatibility issue as far as
community testing has revealed and although it has potential downstream knock
on effects I think the security concerns are more important. We made a similar
trade off when removing Byte API methods that did unsafe object deserialization
a while back.
> Upgrade thrift dependency to 0.12.0
> -----------------------------------
>
> Key: HBASE-21791
> URL: https://issues.apache.org/jira/browse/HBASE-21791
> Project: HBase
> Issue Type: Task
> Components: Thrift
> Affects Versions: 3.0.0, 1.5.0, 1.3.3, 2.2.0, 1.4.9, 2.1.2, 1.2.10, 2.0.4
> Reporter: Duo Zhang
> Assignee: Duo Zhang
> Priority: Blocker
> Fix For: 3.0.0, 1.5.0, 2.2.0, 2.1.3, 2.0.5, 2.3.0
>
> Attachments: HBASE-21791-branch-1.patch,
> HBASE-21791-branch-2.1.patch, HBASE-21791.patch
>
>
> As somebody have already known, that there is a CVE for thrift from 0.5.0 to
> 0.11.0.
> https://nvd.nist.gov/vuln/detail/CVE-2018-1320
> As the CVE is already public, let's upgrade our thrift dependency and release
> new versions ASAP.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
