[
https://issues.apache.org/jira/browse/HBASE-28506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Kyle Purtell updated HBASE-28506:
----------------------------------------
Hadoop Flags: Incompatible change,Reviewed
Release Note:
CVE-2024-3094 implicated recent releases of the native liblzma library as a
vector for malicious code. While this does not include the LZMA algorithm
implementation we use to support XZ compression in hbase-compression-xz,
xz-java, how the backdoor was introduced calls into question the
trustworthiness and viability of the XZ project. XZ compression provides little
to no value over more modern alternatives, like ZStandard, that can also
achieve similar compression ratios, and to our knowledge no HBase users of XZ
compression exist.
XZ compression support has been deprecated in 2.5 and removed in 2.6 and up.
Resolution: Fixed
Status: Resolved (was: Patch Available)
Subtask to deprecate in 2.5 is still unresolved but review feedback has been
addressed and it will land shortly.
> Remove hbase-compression-xz
> ---------------------------
>
> Key: HBASE-28506
> URL: https://issues.apache.org/jira/browse/HBASE-28506
> Project: HBase
> Issue Type: Task
> Reporter: Andrew Kyle Purtell
> Assignee: Andrew Kyle Purtell
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.6.0, 3.0.0-beta-2
>
>
> Refer to [https://lists.apache.org/thread/on62z40rwotrcc8w1l5n55rd4zldho5g] .
> Deprecate in 2.5.x, remove in 2.6.
> I will add a release note when resolving this issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
