hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thejas Nair <thejas.n...@gmail.com>
Subject Re: Availability of Hive distribution with authorization fix
Date Wed, 17 Feb 2016 05:42:44 GMT
Hive 2.0.0 has been released with this fix.
For earlier released versions, the workaround of using the additional
hook is available, as described in the CVE.
There might be a 1.2.2 release, but I haven't seen active work or
discussions around that yet.


On Mon, Feb 15, 2016 at 9:09 AM, Adam Roberts <AROBERTS@uk.ibm.com> wrote:
> Hi, any update on this?
>
> Copying my initial post from a week ago as I don't have the original email
> to reply to.
>
> Are there plans to release Hive 1.2.2 with the authorization fix mentioned
> in www.openwall.com/lists/oss-security/2016/01/28/12?
>
> The above CVE description mentions "This issue has already been patched in
> all Hive branches that are affected, and any future release will not need
> these mitigation steps."
>
> I see the binaries were last updated on the 26th of June 2015 based on
> http://mvnrepository.com/artifact/org.apache.hive/hive-exec/1.2.1 and the
> Hive downloads page https://hive.apache.org/downloads.html, so AFAIK the
> binaries haven't been updated and therefore any project depending on Hive
> (e.g. Apache Spark which bundles classes from 1.2.1, which is impacted)
> will download and bundle the unpatched and vulnerable Hive code.
>
> I think I've found the right commit based on searching for "security" for
> Hive commits on branch 1.2.1 since four months ago, it's dated after the
> 26th of June and hence my concern.
>
> As updating the jar for 1.2.1 would add doubt over if the fix is available
> in the jar or not, I think there should be a new minor release (let's say
> 1.2.2) to avoid this.
>
> Cheers,
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Mime
View raw message