hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
Date Wed, 10 Aug 2016 18:16:20 GMT

    [ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15415702#comment-15415702
] 

Josh Elser commented on HBASE-16267:
------------------------------------

bq. If security vulnerability, whats difference if included explicitly or implicitly?

Is the vulnerability in the client itself, so by not using the older client, we're safe at
runtime? Do you have the CVE handy, [~tedyu]? It would be good for us to be able to point
to the issue where we addressed the CVE (since security orgs are going to approaching it that
way). This would also help in our understanding here in HBase-land on the scope of the issue.

> Remove commons-httpclient dependency from hbase-rest module
> -----------------------------------------------------------
>
>                 Key: HBASE-16267
>                 URL: https://issues.apache.org/jira/browse/HBASE-16267
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>            Priority: Critical
>             Fix For: 2.0.0
>
>         Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, 16267.v13.txt, 16267.v14.txt,
16267.v2.txt, 16267.v4.txt, 16267.v6.txt, 16267.v8.txt, 16267.v9.txt
>
>
> hbase-rest module still has imports from org.apache.commons.httpclient .
> There is more work to be done after HBASE-15767 was integrated.
> In master branch, there seems to be transitive dependency which allows the code to compile:
> {code}
> [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile
> [INFO] |  +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile
> [INFO] |  +- commons-cli:commons-cli:jar:1.2:compile
> [INFO] |  +- org.apache.commons:commons-math3:jar:3.1.1:compile
> [INFO] |  +- xmlenc:xmlenc:jar:0.52:compile
> [INFO] |  +- commons-httpclient:commons-httpclient:jar:3.1:compile
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message