[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[
https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17322508#comment-17322508
]
Hudson commented on HBASE-25568:
Results for branch branch-2.2
[build #205 on
builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/205/]:
(x) *{color:red}-1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/205//General_Nightly_Build_Report/]
(x) {color:red}-1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/205//JDK8_Nightly_Build_Report_(Hadoop2)/]
(x) {color:red}-1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/205//JDK8_Nightly_Build_Report_(Hadoop3)/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(x) {color:red}-1 client integration test{color}
--Failed when running client tests on top of Hadoop 2. [see log for
details|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/205//artifact/output-integration/hadoop-2.log].
(note that this means we didn't run on Hadoop 3)
> Upgrade Thrift jar to fix CVE-2020-13949
>
>
> Key: HBASE-25568
> URL: https://issues.apache.org/jira/browse/HBASE-25568
> Project: HBase
> Issue Type: Bug
> Components: Thrift
>Reporter: Pankaj Kumar
>Assignee: Pankaj Kumar
>Priority: Critical
> Fix For: 3.0.0-alpha-1, 2.2.7, 2.5.0, 2.3.5, 2.4.3
>
>
> There is potential DoS when processing untrusted Thrift payloads,
> https://seclists.org/oss-sec/2021/q1/140
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[
https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17309627#comment-17309627
]
Hudson commented on HBASE-25568:
Results for branch branch-2
[build #210 on
builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/210/]:
(/) *{color:green}+1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/210/General_20Nightly_20Build_20Report/]
(/) {color:green}+1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/210/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/]
(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/210/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/210/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> Upgrade Thrift jar to fix CVE-2020-13949
>
>
> Key: HBASE-25568
> URL: https://issues.apache.org/jira/browse/HBASE-25568
> Project: HBase
> Issue Type: Bug
> Components: Thrift
>Reporter: Pankaj Kumar
>Assignee: Pankaj Kumar
>Priority: Critical
> Fix For: 3.0.0-alpha-1, 2.2.7, 2.5.0, 2.3.5, 2.4.3
>
>
> There is potential DoS when processing untrusted Thrift payloads,
> https://seclists.org/oss-sec/2021/q1/140
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17309150#comment-17309150 ] Pankaj Kumar commented on HBASE-25568: -- Pushed to branch-2.2+. Thanks everyone for the review. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1, 2.2.7, 2.5.0, 2.3.5, 2.4.3 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[
https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17309093#comment-17309093
]
Hudson commented on HBASE-25568:
Results for branch branch-2.4
[build #81 on
builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/81/]:
(x) *{color:red}-1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/81/General_20Nightly_20Build_20Report/]
(x) {color:red}-1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/81/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/]
(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/81/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(x) {color:red}-1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/81/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> Upgrade Thrift jar to fix CVE-2020-13949
>
>
> Key: HBASE-25568
> URL: https://issues.apache.org/jira/browse/HBASE-25568
> Project: HBase
> Issue Type: Bug
> Components: Thrift
>Reporter: Pankaj Kumar
>Assignee: Pankaj Kumar
>Priority: Critical
> Fix For: 3.0.0-alpha-1, 2.2.7, 2.3.5, 2.4.3
>
>
> There is potential DoS when processing untrusted Thrift payloads,
> https://seclists.org/oss-sec/2021/q1/140
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[
https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17308983#comment-17308983
]
Hudson commented on HBASE-25568:
Results for branch branch-2.2
[build #196 on
builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/196/]:
(x) *{color:red}-1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/196//General_Nightly_Build_Report/]
(/) {color:green}+1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/196//JDK8_Nightly_Build_Report_(Hadoop2)/]
(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/196//JDK8_Nightly_Build_Report_(Hadoop3)/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(x) {color:red}-1 client integration test{color}
--Failed when running client tests on top of Hadoop 2. [see log for
details|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/196//artifact/output-integration/hadoop-2.log].
(note that this means we didn't run on Hadoop 3)
> Upgrade Thrift jar to fix CVE-2020-13949
>
>
> Key: HBASE-25568
> URL: https://issues.apache.org/jira/browse/HBASE-25568
> Project: HBase
> Issue Type: Bug
> Components: Thrift
>Reporter: Pankaj Kumar
>Assignee: Pankaj Kumar
>Priority: Critical
> Fix For: 3.0.0-alpha-1, 2.2.7, 2.3.5, 2.4.3
>
>
> There is potential DoS when processing untrusted Thrift payloads,
> https://seclists.org/oss-sec/2021/q1/140
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17308955#comment-17308955 ] Huaxiang Sun commented on HBASE-25568: -- I need to temporarily resolve it to include it to 2.3.5 release. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1, 2.2.7, 2.4.3, 2.3.6 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[
https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17308715#comment-17308715
]
Hudson commented on HBASE-25568:
Results for branch branch-2.3
[build #192 on
builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/192/]:
(x) *{color:red}-1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/192/General_20Nightly_20Build_20Report/]
(/) {color:green}+1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/192/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/]
(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/192/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(x) {color:red}-1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/192/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> Upgrade Thrift jar to fix CVE-2020-13949
>
>
> Key: HBASE-25568
> URL: https://issues.apache.org/jira/browse/HBASE-25568
> Project: HBase
> Issue Type: Bug
> Components: Thrift
>Reporter: Pankaj Kumar
>Assignee: Pankaj Kumar
>Priority: Critical
> Fix For: 3.0.0-alpha-1, 2.2.7, 2.4.3, 2.3.6
>
>
> There is potential DoS when processing untrusted Thrift payloads,
> https://seclists.org/oss-sec/2021/q1/140
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17307722#comment-17307722 ] Pankaj Kumar commented on HBASE-25568: -- We can upgrade thrift version in hbase-2.x branches as well, will raise PR soon. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17307719#comment-17307719 ] Pankaj Kumar commented on HBASE-25568: -- Sorry for the late response [~zhangduo]. Thrift 0.14.x APIs aren't backward compatible, but wire compatibility is working fine. I've verified ThrfitServer(0.14.1) with Client(0.13.0), basic client operations (put, delete, get, scan, incr,checkAndMutate, append...) are working fine. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17305265#comment-17305265 ] Duo Zhang commented on HBASE-25568: --- What is incompatible? Wire or just dependency? If former, I even do not think we should upgrade it for master branch. And for latter, I do not think downstream users need to depend on hbase-thrift module, so I think we could upgrade them on hbase-2.x too. Thanks. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304998#comment-17304998 ] Norbert Kalmár commented on HBASE-25568: 2.3 (soon 2.4?) is the current stable branch, and there's a CVE on thrift version used in those versions, so I would say that's a plus towards backporting. And there's a good chance there will bu further CVE reported for 0.13 IMHO. But let's wait and see what the veterans think. This is my non-binding opinion. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304970#comment-17304970 ] Pankaj Kumar commented on HBASE-25568: -- Thrift 0.14.x is backward incompatible, and there is no progress in Thrift community for 0.13 stream patch release. Should we upgrade thrift version to 0.14.x in branch-2, branch-2.4 and branch-2.3? WDYT [~apurtell] [~zhangduo] [~stack][~nkalmar] > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304169#comment-17304169 ] Norbert Kalmár commented on HBASE-25568: This landed on master. Any plans on backporting to 2.4 and maybe 2.3? > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[
https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17303271#comment-17303271
]
Hudson commented on HBASE-25568:
Results for branch master
[build #238 on
builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/master/238/]:
(x) *{color:red}-1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/master/238/General_20Nightly_20Build_20Report/]
(x) {color:red}-1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/master/238/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/master/238/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> Upgrade Thrift jar to fix CVE-2020-13949
>
>
> Key: HBASE-25568
> URL: https://issues.apache.org/jira/browse/HBASE-25568
> Project: HBase
> Issue Type: Bug
> Components: Thrift
>Reporter: Pankaj Kumar
>Assignee: Pankaj Kumar
>Priority: Critical
> Fix For: 3.0.0-alpha-1
>
>
> There is potential DoS when processing untrusted Thrift payloads,
> https://seclists.org/oss-sec/2021/q1/140
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17302451#comment-17302451 ] Pankaj Kumar commented on HBASE-25568: -- Pushed to master branch. There is a discussion thread in Thrift communty for 0.13 stream patch release, https://lists.apache.org/thread.html/r1504886a550426d3c05772c47b1a6350c3235e51fd1fdffbec43e974@%3Cuser.thrift.apache.org%3E > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17299156#comment-17299156 ] Andrew Kyle Purtell commented on HBASE-25568: - [~pankajkumar] Please file a PR for master branch. We can cherry pick back from there I suspect. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17298854#comment-17298854 ] Pankaj Kumar commented on HBASE-25568: -- It may not be [~brahmareddy], also Thrift community released 0.14.1 version recently with some bug fixes and marked it as stable. However we need to test and ensure the stability. [~apurtell] [~zhangduo] WDYT, how to proceed, should we upgrade first in master & branch-2 and then backport to other active branches? > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17297356#comment-17297356 ] Brahma Reddy Battula commented on HBASE-25568: -- thift 0.14.0 will be stable enough as it's released recently..? > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > Fix For: 3.0.0-alpha-1 > > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17293604#comment-17293604 ] Chao Wang commented on HBASE-25568: --- thanks pankaj , + 1 > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17285330#comment-17285330 ] Pankaj Kumar commented on HBASE-25568: -- Thanks [~apurtell]. will contact the dev@thrift to check the status. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949
[ https://issues.apache.org/jira/browse/HBASE-25568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17284894#comment-17284894 ] Andrew Kyle Purtell commented on HBASE-25568: - The Thrift project hasn't completed a release > 0.13.0 yet. Contact dev@thrift to check the status. > Upgrade Thrift jar to fix CVE-2020-13949 > > > Key: HBASE-25568 > URL: https://issues.apache.org/jira/browse/HBASE-25568 > Project: HBase > Issue Type: Bug > Components: Thrift >Reporter: Pankaj Kumar >Assignee: Pankaj Kumar >Priority: Critical > > There is potential DoS when processing untrusted Thrift payloads, > https://seclists.org/oss-sec/2021/q1/140 -- This message was sent by Atlassian Jira (v8.3.4#803005)
