[HBASE-28506] Remove hbase-compression-xz - ASF JIRA

XML

Word

Printable

JSON

Hadoop Flags:

Incompatible change, Reviewed
Release Note:

Hide
CVE-2024-3094 implicated recent releases of the native liblzma library as a vector for malicious code. While this does not include the LZMA algorithm implementation we use to support XZ compression in hbase-compression-xz, xz-java, how the backdoor was introduced calls into question the trustworthiness and viability of the XZ project. XZ compression provides little to no value over more modern alternatives, like ZStandard, that can also achieve similar compression ratios, and to our knowledge no HBase users of XZ compression exist.

XZ compression support has been deprecated in 2.5 and removed in 2.6 and up.

Show
CVE-2024-3094 implicated recent releases of the native liblzma library as a vector for malicious code. While this does not include the LZMA algorithm implementation we use to support XZ compression in hbase-compression-xz, xz-java, how the backdoor was introduced calls into question the trustworthiness and viability of the XZ project. XZ compression provides little to no value over more modern alternatives, like ZStandard, that can also achieve similar compression ratios, and to our knowledge no HBase users of XZ compression exist. XZ compression support has been deprecated in 2.5 and removed in 2.6 and up.

Deprecate in 2.5.x, remove in 2.6.

I will add a release note when resolving this issue.

links to

GitHub Pull Request #5811

Resolved