[
https://issues.apache.org/jira/browse/HBASE-23834?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17411303#comment-17411303
]
Duo Zhang commented on HBASE-23834:
-----------------------------------
IIRC, we marked it as incompatible change because we changed the jetty
dependency. Some downstream users may rely on the transitive dependency of
jetty from hbase and after this change, their build may be broken.
Of course, we can include this change in 2.3 if we think it worth, as it is not
a 'critical' incompatible change, such as removing a method or class, so let's
see [~ndimiduk]'s opinion. He is the release manager of 2.3.x release line.
Thanks.
> HBase fails to run on Hadoop 3.3.0/3.2.2/3.1.4 due to jetty version mismatch
> ----------------------------------------------------------------------------
>
> Key: HBASE-23834
> URL: https://issues.apache.org/jira/browse/HBASE-23834
> Project: HBase
> Issue Type: Bug
> Components: dependencies
> Reporter: Wei-Chiu Chuang
> Assignee: Duo Zhang
> Priority: Major
> Fix For: 3.0.0-alpha-1, 2.4.0
>
>
> HBase master branch is currently on Jetty 9.3, and latest Hadoop 3
> (unreleased branches trunk, branch-3.2 and branch-3.1) bumped Jetty to 9.4 to
> address a vulnerability CVE-2017-9735.
> (1) Jetty 9.3 and 9.4 are quite different (there are incompatible API
> changes) and HBase won't start on the latest Hadoop 3.
> (2) In any case, HBase should update its Jetty dependency to address the
> vulnerability.
> Fortunately for HBase, updating to Jetty 9.4 requires no code change other
> than the maven version string.
> More tests are needed to verify if HBase can run on older Hadoop versions if
> its Jetty is updated.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
