[
https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16892379#comment-16892379
]
Sean Busbey commented on HBASE-22728:
-------------------------------------
ugh this sounds miserable. does the shaded client include the jackson classes?
If not, I'd guess we can exclude it from hbase-client at least. "CVE vulnerable
dependency is removed from classpath, here's how you add it back if the
dependency is more important than the exposure" seems reasonable to me for
existing releases.
> Upgrade jackson dependencies in branch-1
> ----------------------------------------
>
> Key: HBASE-22728
> URL: https://issues.apache.org/jira/browse/HBASE-22728
> Project: HBase
> Issue Type: Sub-task
> Affects Versions: 1.4.10, 1.3.5
> Reporter: Andrew Purtell
> Priority: Major
> Fix For: 1.5.0, 1.3.6, 1.4.11
>
>
> Avoid Jackson versions and dependencies with known CVEs
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
