[HBASE-25755] Exclude tomcat-embed-core from libthrift - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 3.0.0-alpha-1, 2.2.7, 2.5.0, 2.3.5, 2.4.3
Fix Version/s: 3.0.0-alpha-1, 2.2.7, 2.5.0, 2.4.3, 2.3.6
Component/s: dependencies, Thrift
Labels:
None

Description

~~HBASE-25568~~ upgraded the Thrift dependency to 0.14.1 to fix a known CVE but a dependency issue in libthrift brings in tomcat-embed-core which has many vulnerabilities. See: ~~THRIFT-5375~~
Since this dependency is used in Thrift only for a test we can safely exclude it inside HBase.

Attachments

Issue Links

is related to

HBASE-25568 Upgrade Thrift jar to fix CVE-2020-13949

Resolved

links to

GitHub Pull Request #3141

Activity

People

Assignee:: Peter Somogyi

Reporter:: Peter Somogyi

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 09/Apr/21 17:35

Updated:: 15/Apr/21 22:07

Resolved:: 10/Apr/21 08:35