[HBASE-21791] Upgrade thrift dependency to 0.12.0 - ASF JIRA

XML

Word

Printable

JSON

Type: Task
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 3.0.0-alpha-1, 1.5.0, 1.3.3, 2.2.0, 1.4.9, 2.1.2, 1.2.10, 2.0.4
Fix Version/s: 3.0.0-alpha-1, 1.5.0, 2.2.0, 2.1.3, 2.0.5, 2.3.0
Component/s: Thrift
Labels:
None

Hadoop Flags:

Reviewed
Release Note:

Hide
IMPORTANT: Due to security issues, all users who use hbase thrift should avoid using releases which do not have this fix.

The effect releases are:
2.1.x: 2.1.2 and below
2.0.x: 2.0.4 and below
1.x: 1.4.x and below

If you are using the effect releases above, please consider upgrading to a newer release ASAP.

Show
IMPORTANT: Due to security issues, all users who use hbase thrift should avoid using releases which do not have this fix. The effect releases are: 2.1.x: 2.1.2 and below 2.0.x: 2.0.4 and below 1.x: 1.4.x and below If you are using the effect releases above, please consider upgrading to a newer release ASAP.

As somebody have already known, that there is a CVE for thrift from 0.5.0 to 0.11.0.

As the CVE is already public, let's upgrade our thrift dependency and release new versions ASAP.

is related to

HBASE-24148 Upgrade Thrift to 0.13.0: 0.12.0 has outstanding CVEs.

relates to

HBASE-22058 upgrade thrift dependency to 0.9.3.1 on branches 1.4, 1.3 and 1.2