hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Roberts <>
Subject Availability of Hive distribution with authorization fix
Date Mon, 08 Feb 2016 17:16:30 GMT
Hi, are there plans to release Hive 1.2.2 with the authorization fix 
mentioned in

The above CVE description mentions "This issue has already been patched in 
all Hive branches that are affected, and any future release will not need 
these mitigation steps."

I see the binaries were last updated on the 26th of June 2015 based on and the 
Hive downloads page, so AFAIK the 
binaries haven't been updated and therefore any project depending on Hive 
(e.g. Apache Spark which bundles classes from 1.2.1, which is impacted) 
will download and bundle the unpatched and vulnerable Hive code. 

I think I've found the right commit based on searching for "security" for 
Hive commits on branch 1.2.1 since four months ago, it's dated after the 
26th of June and hence my concern.

As updating the jar for 1.2.1 would add doubt over if the fix is available 
in the jar or not, I think there should be a new minor release (let's say 
1.2.2) to avoid this.

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message