[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17322508#comment-17322508 ] Hudson commented on HBASE-25568: Results for branch branch-2.2 [build #205 on builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/205/]: (x) *{color:red}-1 overall{color}* details (if available): (/) {color:green}+1 general checks{color} -- For more information [see general report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/205//General_Nightly_Build_Report/] (x) {color:red}-1 jdk8 hadoop2 checks{color} -- For more information [see jdk8 (hadoop2) report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/205//JDK8_Nightly_Build_Report_(Hadoop2)/] (x) {color:red}-1 jdk8 hadoop3 checks{color} -- For more information [see jdk8 (hadoop3) report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/205//JDK8_Nightly_Build_Report_(Hadoop3)/] (/) {color:green}+1 source release artifact{color} -- See build output for details. (x) {color:red}-1 client integration test{color} --Failed when running client tests on top of Hadoop 2. [see log for details|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/205//artifact/output-integration/hadoop-2.log]. (note that this means we didn't run on Hadoop 3) > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1, 2.2.7, 2.5.0, 2.3.5, 2.4.3 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17309627#comment-17309627 ] Hudson commented on HBASE-25568: Results for branch branch-2 [build #210 on builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/210/]: (/) *{color:green}+1 overall{color}* details (if available): (/) {color:green}+1 general checks{color} -- For more information [see general report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/210/General_20Nightly_20Build_20Report/] (/) {color:green}+1 jdk8 hadoop2 checks{color} -- For more information [see jdk8 (hadoop2) report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/210/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/] (/) {color:green}+1 jdk8 hadoop3 checks{color} -- For more information [see jdk8 (hadoop3) report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/210/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/] (/) {color:green}+1 jdk11 hadoop3 checks{color} -- For more information [see jdk11 report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/210/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/] (/) {color:green}+1 source release artifact{color} -- See build output for details. (/) {color:green}+1 client integration test{color} > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1, 2.2.7, 2.5.0, 2.3.5, 2.4.3 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17309150#comment-17309150 ] Pankaj Kumar commented on HBASE-25568: -- Pushed to branch-2.2+. Thanks everyone for the review. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1, 2.2.7, 2.5.0, 2.3.5, 2.4.3 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17309093#comment-17309093 ] Hudson commented on HBASE-25568: Results for branch branch-2.4 [build #81 on builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/81/]: (x) *{color:red}-1 overall{color}* details (if available): (/) {color:green}+1 general checks{color} -- For more information [see general report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/81/General_20Nightly_20Build_20Report/] (x) {color:red}-1 jdk8 hadoop2 checks{color} -- For more information [see jdk8 (hadoop2) report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/81/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/] (/) {color:green}+1 jdk8 hadoop3 checks{color} -- For more information [see jdk8 (hadoop3) report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/81/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/] (x) {color:red}-1 jdk11 hadoop3 checks{color} -- For more information [see jdk11 report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/81/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/] (/) {color:green}+1 source release artifact{color} -- See build output for details. (/) {color:green}+1 client integration test{color} > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1, 2.2.7, 2.3.5, 2.4.3 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17308983#comment-17308983 ] Hudson commented on HBASE-25568: Results for branch branch-2.2 [build #196 on builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/196/]: (x) *{color:red}-1 overall{color}* details (if available): (/) {color:green}+1 general checks{color} -- For more information [see general report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/196//General_Nightly_Build_Report/] (/) {color:green}+1 jdk8 hadoop2 checks{color} -- For more information [see jdk8 (hadoop2) report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/196//JDK8_Nightly_Build_Report_(Hadoop2)/] (/) {color:green}+1 jdk8 hadoop3 checks{color} -- For more information [see jdk8 (hadoop3) report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/196//JDK8_Nightly_Build_Report_(Hadoop3)/] (/) {color:green}+1 source release artifact{color} -- See build output for details. (x) {color:red}-1 client integration test{color} --Failed when running client tests on top of Hadoop 2. [see log for details|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/196//artifact/output-integration/hadoop-2.log]. (note that this means we didn't run on Hadoop 3) > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1, 2.2.7, 2.3.5, 2.4.3 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17308955#comment-17308955 ] Huaxiang Sun commented on HBASE-25568: -- I need to temporarily resolve it to include it to 2.3.5 release. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1, 2.2.7, 2.4.3, 2.3.6 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17308715#comment-17308715 ] Hudson commented on HBASE-25568: Results for branch branch-2.3 [build #192 on builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/192/]: (x) *{color:red}-1 overall{color}* details (if available): (/) {color:green}+1 general checks{color} -- For more information [see general report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/192/General_20Nightly_20Build_20Report/] (/) {color:green}+1 jdk8 hadoop2 checks{color} -- For more information [see jdk8 (hadoop2) report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/192/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/] (/) {color:green}+1 jdk8 hadoop3 checks{color} -- For more information [see jdk8 (hadoop3) report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/192/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/] (x) {color:red}-1 jdk11 hadoop3 checks{color} -- For more information [see jdk11 report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/192/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/] (/) {color:green}+1 source release artifact{color} -- See build output for details. (/) {color:green}+1 client integration test{color} > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1, 2.2.7, 2.4.3, 2.3.6 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17307722#comment-17307722 ] Pankaj Kumar commented on HBASE-25568: -- We can upgrade thrift version in hbase-2.x branches as well, will raise PR soon. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17307719#comment-17307719 ] Pankaj Kumar commented on HBASE-25568: -- Sorry for the late response [~zhangduo]. Thrift 0.14.x APIs aren't backward compatible, but wire compatibility is working fine. I've verified ThrfitServer(0.14.1) with Client(0.13.0), basic client operations (put, delete, get, scan, incr,checkAndMutate, append...) are working fine. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17305265#comment-17305265 ] Duo Zhang commented on HBASE-25568: --- What is incompatible? Wire or just dependency? If former, I even do not think we should upgrade it for master branch. And for latter, I do not think downstream users need to depend on hbase-thrift module, so I think we could upgrade them on hbase-2.x too. Thanks. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304998#comment-17304998 ] Norbert Kalmár commented on HBASE-25568: 2.3 (soon 2.4?) is the current stable branch, and there's a CVE on thrift version used in those versions, so I would say that's a plus towards backporting. And there's a good chance there will bu further CVE reported for 0.13 IMHO. But let's wait and see what the veterans think. This is my non-binding opinion. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304970#comment-17304970 ] Pankaj Kumar commented on HBASE-25568: -- Thrift 0.14.x is backward incompatible, and there is no progress in Thrift community for 0.13 stream patch release. Should we upgrade thrift version to 0.14.x in branch-2, branch-2.4 and branch-2.3? WDYT [~apurtell] [~zhangduo] [~stack][~nkalmar] > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304169#comment-17304169 ] Norbert Kalmár commented on HBASE-25568: This landed on master. Any plans on backporting to 2.4 and maybe 2.3? > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17303271#comment-17303271 ] Hudson commented on HBASE-25568: Results for branch master [build #238 on builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/master/238/]: (x) *{color:red}-1 overall{color}* details (if available): (/) {color:green}+1 general checks{color} -- For more information [see general report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/master/238/General_20Nightly_20Build_20Report/] (x) {color:red}-1 jdk8 hadoop3 checks{color} -- For more information [see jdk8 (hadoop3) report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/master/238/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/] (/) {color:green}+1 jdk11 hadoop3 checks{color} -- For more information [see jdk11 report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/master/238/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/] (/) {color:green}+1 source release artifact{color} -- See build output for details. (/) {color:green}+1 client integration test{color} > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17302451#comment-17302451 ] Pankaj Kumar commented on HBASE-25568: -- Pushed to master branch. There is a discussion thread in Thrift communty for 0.13 stream patch release, https://lists.apache.org/thread.html/r1504886a550426d3c05772c47b1a6350c3235e51fd1fdffbec43e974@%3Cuser.thrift.apache.org%3E > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17299156#comment-17299156 ] Andrew Kyle Purtell commented on HBASE-25568: - [~pankajkumar] Please file a PR for master branch. We can cherry pick back from there I suspect. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17298854#comment-17298854 ] Pankaj Kumar commented on HBASE-25568: -- It may not be [~brahmareddy], also Thrift community released 0.14.1 version recently with some bug fixes and marked it as stable. However we need to test and ensure the stability. [~apurtell] [~zhangduo] WDYT, how to proceed, should we upgrade first in master & branch-2 and then backport to other active branches? > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17297356#comment-17297356 ] Brahma Reddy Battula commented on HBASE-25568: -- thift 0.14.0 will be stable enough as it's released recently..? > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17293604#comment-17293604 ] Chao Wang commented on HBASE-25568: --- thanks pankaj , + 1 > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17285330#comment-17285330 ] Pankaj Kumar commented on HBASE-25568: -- Thanks [~apurtell]. will contact the dev@thrift to check the status. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17284894#comment-17284894 ] Andrew Kyle Purtell commented on HBASE-25568: - The Thrift project hasn't completed a release > 0.13.0 yet. Contact dev@thrift to check the status. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)