hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "stack (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
Date Wed, 10 Aug 2016 21:42:20 GMT

    [ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15416067#comment-15416067

stack commented on HBASE-16267:

+1 on patch. Fix the release note. Doesn't make mention of why and doesn't make sense as written
(what is the 'it' referred to). You want to hoist the CVE up into the release note? That'd
help folks trying to figure why this issue. Thanks.

> Remove commons-httpclient dependency from hbase-rest module
> -----------------------------------------------------------
>                 Key: HBASE-16267
>                 URL: https://issues.apache.org/jira/browse/HBASE-16267
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>            Priority: Critical
>             Fix For: 2.0.0
>         Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, 16267.v13.txt, 16267.v14.txt,
16267.v15.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, 16267.v8.txt, 16267.v9.txt
> hbase-rest module still has imports from org.apache.commons.httpclient .
> There is more work to be done after HBASE-15767 was integrated.
> In master branch, there seems to be transitive dependency which allows the code to compile:
> {code}
> [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile
> [INFO] |  +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile
> [INFO] |  +- commons-cli:commons-cli:jar:1.2:compile
> [INFO] |  +- org.apache.commons:commons-math3:jar:3.1.1:compile
> [INFO] |  +- xmlenc:xmlenc:jar:0.52:compile
> [INFO] |  +- commons-httpclient:commons-httpclient:jar:3.1:compile
> {code}
> HADOOP-12767
> to move the uses of httpclient HADOOP-10105
>     https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java
in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration
setting during an SSL handshake, which allows remote attackers to cause a denial of service
(HTTPS call hang) via unspecified vectors.
>     https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153
>     https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783
>     Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS)
merchant Java SDK and other products, does not verify that the server hostname matches a domain
name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which
allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

This message was sent by Atlassian JIRA

View raw message