hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thejas Nair <>
Subject Re: Availability of Hive distribution with authorization fix
Date Wed, 17 Feb 2016 05:42:44 GMT
Hive 2.0.0 has been released with this fix.
For earlier released versions, the workaround of using the additional
hook is available, as described in the CVE.
There might be a 1.2.2 release, but I haven't seen active work or
discussions around that yet.

On Mon, Feb 15, 2016 at 9:09 AM, Adam Roberts <> wrote:
> Hi, any update on this?
> Copying my initial post from a week ago as I don't have the original email
> to reply to.
> Are there plans to release Hive 1.2.2 with the authorization fix mentioned
> in
> The above CVE description mentions "This issue has already been patched in
> all Hive branches that are affected, and any future release will not need
> these mitigation steps."
> I see the binaries were last updated on the 26th of June 2015 based on
> and the
> Hive downloads page, so AFAIK the
> binaries haven't been updated and therefore any project depending on Hive
> (e.g. Apache Spark which bundles classes from 1.2.1, which is impacted)
> will download and bundle the unpatched and vulnerable Hive code.
> I think I've found the right commit based on searching for "security" for
> Hive commits on branch 1.2.1 since four months ago, it's dated after the
> 26th of June and hence my concern.
> As updating the jar for 1.2.1 would add doubt over if the fix is available
> in the jar or not, I think there should be a new minor release (let's say
> 1.2.2) to avoid this.
> Cheers,
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

View raw message