hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nick Dimiduk (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-16317) revert all ESAPI changes
Date Thu, 04 Aug 2016 03:51:20 GMT

     [ https://issues.apache.org/jira/browse/HBASE-16317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Nick Dimiduk updated HBASE-16317:
---------------------------------
    Release Note: This issue reverts fixes designed to prevent malicious content from rendering
in HBase's UIs. Specifically, these changes shipped in 1.1.4+ and 1.2.0+. They were removed
due to licensing issues discovered in the dependencies they introduced. Their implementation
and those dependencies have been removed from HBase! Removal of these dependencies is against
the strict definition of our version compatibility guidelines. However, inclusion of non-Apache
approved licenses cannot be tolerated. Implementation of these fixes using an Apache-appropriate
means is tracked in HBASE-16328.  (was: This issue reverts fixes designed to prevent malicious
content from rendering in HBase's UIs. Specifically, these changes shipped in 1.1.4+ and 1.2.0+.
They were removed due to licensing issues discovered in the dependencies they introduced.
Their implementation and those dependencies have been removed from HBase! Removal of these
dependencies is against the strict definition of our version compatibility guidelines, however,
inclusion of non-Apache approved licenses cannot be tolerated. Implementation of these fixes
using an Apache-appropriate means is tracked in HBASE-16328.)

> revert all ESAPI changes
> ------------------------
>
>                 Key: HBASE-16317
>                 URL: https://issues.apache.org/jira/browse/HBASE-16317
>             Project: HBase
>          Issue Type: Sub-task
>          Components: dependencies, security
>            Reporter: Sean Busbey
>            Assignee: Nick Dimiduk
>            Priority: Blocker
>             Fix For: 2.0.0, 1.3.0, 1.4.0, 1.1.6, 1.2.3
>
>         Attachments: HBASE-16317.v00.branch-1.1.patch, HBASE-16317.v00.branch-1.2.patch,
HBASE-16317.v00.branch-1.3.patch, HBASE-16317.v00.branch-1.patch, HBASE-16317.v00.master.patch
>
>
> to unblock releases, we'll start cleaning up the category-x problem by reverting all
the ESAPI changes.
> we should try to include a release note with what this means we'll be vulnerable to.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message