hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Yoder (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12577) Bump up commons-collections version to 3.2.2 to address a security flaw
Date Thu, 19 Nov 2015 23:17:11 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014713#comment-15014713

Mike Yoder commented on HADOOP-12577:

You may well be correct that there is no vulnerability in hadoop - but in some sense that
almost does not matter. There are many corporate security departments that are going to raise
red flags about the presence of this library in the classpath. Explaining to them why you
think you're not vulnerable may or may not work, and it's hard to prove a negative. In my
experience it's easiest to just do the upgrade.

> Bump up commons-collections version to 3.2.2 to address a security flaw
> -----------------------------------------------------------------------
>                 Key: HADOOP-12577
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12577
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: build, security
>    Affects Versions: 2.7.1, 2.6.2
>            Reporter: Wei-Chiu Chuang
>            Assignee: Wei-Chiu Chuang
>            Priority: Blocker
>         Attachments: HADOOP-12577.001.patch
> Update commons-collections from 3.2.1 to 3.2.2 because of a major security vulnerability.
There are many other open source projects use commons-collections and are also affected.
> Please see http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
for the discovery of the vulnerability.
> https://issues.apache.org/jira/browse/COLLECTIONS-580 has the discussion thread of the
> https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread The
ASF response to the security vulnerability.

This message was sent by Atlassian JIRA

View raw message