hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wei-Chiu Chuang <weic...@cloudera.com>
Subject Re: Replacing Commons-httpclient and bumping httpclient version
Date Fri, 19 Feb 2016 19:46:47 GMT
Thanks every one for the feedbacks and attention to the related patches for replacing cnmmons-httpclient.

The second part of my question is how do people feel about bumping httpclient version? httpclient
4.2.5 used by current Hadoop also has a few security vulnerabilities. Fortunately in this
case, we can easily bump its version to address the security vulnerabilities.
This refers to HADOOP-12767 <https://issues.apache.org/jira/browse/HADOOP-12767> (update
apache httpclient version to the latest 4.5 for security)

Thanks again,
Wei-Chiu Chuang
A very happy Clouderan

> On Feb 18, 2016, at 6:50 PM, Brahma Reddy Battula <brahmareddy.battula@huawei.com>
wrote:
> 
> Thanks Wei-Chiu Chuang for initiating discussion here.
> 
> I'm +1 too to clean up dependency on commons-httpclient.
> 
> -----Original Message-----
> From: Masatake Iwasaki [mailto:iwasakims@oss.nttdata.co.jp] 
> Sent: 17 February 2016 22:52
> To: common-dev@hadoop.apache.org
> Subject: Re: Replacing Commons-httpclient and bumping httpclient version
> 
> Thanks for the suggestion, Wei-Chiu Chuang.
> 
> I'm +1 too to clean up dependency on commons-httpclient.
> 
> Your suggestion reminded me of HADOOP-12552 which seems to depends on HADOOP-12710 and
HADOOP-12711 now.
> I will revisit it.
> 
> Masatake Iwasaki
> 
> On 2/17/16 03:59, Colin P. McCabe wrote:
>> +1 for updating the dependencies in trunk.
>> 
>> best,
>> Colin
>> 
>> On Tue, Feb 16, 2016 at 9:20 AM, Wei-Chiu Chuang <weichiu@cloudera.com> wrote:
>>> Fellow Hadoop developers,
>>> 
>>> Hadoop codebase depends on commons-httpclient, and its latest version, 3.1.2,
is EOL nearly 5 years ago. But because its API is not compatible with its successor, httpclient
4, the community seem to have been reluctant to upgrade.
>>> However, a lot of evidence indicates that commons-httpclient has a number of
security vulnerabilities which are never addressed, including CVE-2012-6153. To make Hadoop
less susceptible to existing and future vulnerabilities, we should seriously consider replacing
commons-httpclient with httpclient 4.x.
>>> 
>>> There are a few Hadoop JIRAs that have patches available to address that, but
they really need more attention to get them committed:
>>> HADOOP-10105 <https://issues.apache.org/jira/browse/HADOOP-10105> (remove
httpclient dependency) is the umbrella JIRA for all.
>>> Other efforts includes HADOOP-11613 <https://issues.apache.org/jira/browse/HADOOP-11613>
(Remove httpclient dependency from hadoop-azure), HADOOP-11614 <https://issues.apache.org/jira/browse/HADOOP-11614>
(Remove httpclient dependency from hadoop-openstack), HADOOP-12710 <https://issues.apache.org/jira/browse/HADOOP-12710>
(Remove dependency on commons-httpclient for TestHttpServerLogs), HADOOP-12711 <https://issues.apache.org/jira/browse/HADOOP-12711>
(Remove dependency on commons-httpclient for ServletUtil). I’d also like to urge the community
to reject patches that imports commons-httpclient in the future.
>>> 
>>> Additionally, Hadoop trunk depends on httpclient 4.2.5, which is known to suffer
from several security vulnerabilities as well, including CVE-2012-6153, CVE-2011-4461, CVE-2014-3577,
CVE-2015-5262. HADOOP-12767 <https://issues.apache.org/jira/browse/HADOOP-12767> (update
apache httpclient version to the latest 4.5 for security) has a patch that bumps the version
to 4.5.1. But I’d like to ask the community whether we should do it or not, and the implication
of bump the latest version.
>>> 
>>> Best regards,
>>> Wei-Chiu Chuang
>>> A very happy Clouderan
>>> 
> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message