hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Busbey (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-15767) Upgrade httpclient dependency
Date Thu, 05 May 2016 20:56:12 GMT

     [ https://issues.apache.org/jira/browse/HBASE-15767?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sean Busbey updated HBASE-15767:
--------------------------------
      Resolution: Fixed
    Release Note: HBase now relies on version 4.3.6 of the Apache Commons HTTPClient library.
Downstream users who are exposed to it via the HBase classpath will have to similarly update
their dependency.
          Status: Resolved  (was: Patch Available)

+1, pushed to master. In the future please format patches according to the contributor guide
so that it's easier for reviewers to pull things in during review periods.

> Upgrade httpclient dependency
> -----------------------------
>
>                 Key: HBASE-15767
>                 URL: https://issues.apache.org/jira/browse/HBASE-15767
>             Project: HBase
>          Issue Type: Improvement
>          Components: build, dependencies
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>             Fix For: 2.0.0
>
>         Attachments: 15767.v1.txt
>
>
> Currently commons-httpclient 3.1 is used.
> This is already end-of-life by apache.
> We should move to 4.3.6 or later.
> Details:
> https://issues.apache.org/jira/browse/HADOOP-12767
> https://issues.apache.org/jira/browse/HADOOP-10105
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java
in Apache HttpComponents HttpClient before 4.3.6 ignores the http. socket.timeout configuration
setting during an SSL handshake, which allows remote attackers to cause a denial of service
(HTTPS call hang) via unspecified vectors.
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783
> Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant
Java SDK and other products, does not verify that the server hostname matches a domain  name
in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which
allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message