hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wei-Chiu Chuang <weic...@cloudera.com>
Subject Replacing Commons-httpclient and bumping httpclient version
Date Tue, 16 Feb 2016 17:20:20 GMT
Fellow Hadoop developers,

Hadoop codebase depends on commons-httpclient, and its latest version, 3.1.2, is EOL nearly
5 years ago. But because its API is not compatible with its successor, httpclient 4, the community
seem to have been reluctant to upgrade.
However, a lot of evidence indicates that commons-httpclient has a number of security vulnerabilities
which are never addressed, including CVE-2012-6153. To make Hadoop less susceptible to existing
and future vulnerabilities, we should seriously consider replacing commons-httpclient with
httpclient 4.x.

There are a few Hadoop JIRAs that have patches available to address that, but they really
need more attention to get them committed:
HADOOP-10105 <https://issues.apache.org/jira/browse/HADOOP-10105> (remove httpclient
dependency) is the umbrella JIRA for all. 
Other efforts includes HADOOP-11613 <https://issues.apache.org/jira/browse/HADOOP-11613>
(Remove httpclient dependency from hadoop-azure), HADOOP-11614 <https://issues.apache.org/jira/browse/HADOOP-11614>
(Remove httpclient dependency from hadoop-openstack), HADOOP-12710 <https://issues.apache.org/jira/browse/HADOOP-12710>
(Remove dependency on commons-httpclient for TestHttpServerLogs), HADOOP-12711 <https://issues.apache.org/jira/browse/HADOOP-12711>
(Remove dependency on commons-httpclient for ServletUtil). I’d also like to urge the community
to reject patches that imports commons-httpclient in the future.

Additionally, Hadoop trunk depends on httpclient 4.2.5, which is known to suffer from several
security vulnerabilities as well, including CVE-2012-6153, CVE-2011-4461, CVE-2014-3577, CVE-2015-5262.
HADOOP-12767 <https://issues.apache.org/jira/browse/HADOOP-12767> (update apache httpclient
version to the latest 4.5 for security) has a patch that bumps the version to 4.5.1. But I’d
like to ask the community whether we should do it or not, and the implication of bump the
latest version.

Best regards,
Wei-Chiu Chuang
A very happy Clouderan


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message