[
https://issues.apache.org/jira/browse/HBASE-22499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16852593#comment-16852593
]
Sean Busbey commented on HBASE-22499:
-------------------------------------
I don't think so. AFAIK there's no existing Enforcer plugin that would automate
it in a way that wouldn't require maintaining the list of versions in multiple
places (e.g. in pom and in the ref guide). Also then would we make it just CVEs
that necessarily impact every HBase deployment on Hadoop? Or would that lead to
users who use more of Hadoop than HBase needs having a false sense of security
when we don't blacklist a version? If we blacklist all the Hadoop versions with
CVEs that's going to upset downstream folks who run HBase in a way such that
some Hadoop CVE isn't exploitable in their set up.
I think this just gets us into a rats' nest of edge cases. There are static
analysis tools already for folks who want to be more proactive then we're
already being.
> Drop the support for several hadoop releases due to CVE-2018-8029
> -----------------------------------------------------------------
>
> Key: HBASE-22499
> URL: https://issues.apache.org/jira/browse/HBASE-22499
> Project: HBase
> Issue Type: Task
> Reporter: Duo Zhang
> Priority: Major
>
> https://lists.apache.org/thread.html/3d6831c3893cd27b6850aea2feff7d536888286d588e703c6ffd2e82@%3Cuser.hadoop.apache.org%3E
> Versions Affected:
> 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, 2.2.0 to 2.8.4
> So maybe we should drop the several release for 2.8.x and 2.9.x, and drop the
> support for whole 3.0.x release line.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
