hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Roberts <AROBE...@uk.ibm.com>
Subject RE: Availability of Hive distribution with authorization fix
Date Mon, 15 Feb 2016 17:09:54 GMT
Hi, any update on this?

Copying my initial post from a week ago as I don't have the original email 
to reply to.

Are there plans to release Hive 1.2.2 with the authorization fix mentioned 
in www.openwall.com/lists/oss-security/2016/01/28/12?

The above CVE description mentions "This issue has already been patched in 
all Hive branches that are affected, and any future release will not need 
these mitigation steps."

I see the binaries were last updated on the 26th of June 2015 based on 
http://mvnrepository.com/artifact/org.apache.hive/hive-exec/1.2.1 and the 
Hive downloads page https://hive.apache.org/downloads.html, so AFAIK the 
binaries haven't been updated and therefore any project depending on Hive 
(e.g. Apache Spark which bundles classes from 1.2.1, which is impacted) 
will download and bundle the unpatched and vulnerable Hive code. 

I think I've found the right commit based on searching for "security" for 
Hive commits on branch 1.2.1 since four months ago, it's dated after the 
26th of June and hence my concern.

As updating the jar for 1.2.1 would add doubt over if the fix is available 
in the jar or not, I think there should be a new minor release (let's say 
1.2.2) to avoid this.

Cheers,

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message