hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vinod Kumar Vavilapalli (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12577) Bump up commons-collections version to 3.2.2 to address a security flaw
Date Thu, 19 Nov 2015 22:05:11 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014481#comment-15014481
] 

Vinod Kumar Vavilapalli commented on HADOOP-12577:
--------------------------------------------------

Thanks for reporting this, [~jojochuang]!.

I just read the link you shared (http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/).
We are not actually using in Hadoop the library InvokerTransformer mentioned there. That leads
me to believe that Hadoop is not affected by this vulnerability. Do you agree with that assessment?

I am okay upgrading the library version, but if it doesn't affect us directly, I'd like to
postpone this to our next minor release of 2.8.0 instead of forcing this into the maintenance
lines. What do you think?

> Bump up commons-collections version to 3.2.2 to address a security flaw
> -----------------------------------------------------------------------
>
>                 Key: HADOOP-12577
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12577
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: build, security
>    Affects Versions: 2.7.1, 2.6.2
>            Reporter: Wei-Chiu Chuang
>            Assignee: Wei-Chiu Chuang
>            Priority: Blocker
>         Attachments: HADOOP-12577.001.patch
>
>
> Update commons-collections from 3.2.1 to 3.2.2 because of a major security vulnerability.
There are many other open source projects use commons-collections and are also affected.
> Please see http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
for the discovery of the vulnerability.
> https://issues.apache.org/jira/browse/COLLECTIONS-580 has the discussion thread of the
fix.
> https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread The
ASF response to the security vulnerability.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message