pig-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nandor Kollar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PIG-5302) Remove HttpClient dependency
Date Thu, 26 Oct 2017 14:07:00 GMT

    [ https://issues.apache.org/jira/browse/PIG-5302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16220472#comment-16220472
] 

Nandor Kollar commented on PIG-5302:
------------------------------------

[~rohini] it looks like commons-lang is pulled as a transitive dependency by avro-mapred.
Looks like Commons HttpClient 3.1 is not even used as a transitive dependency (see attached
Ivy report before applying my patch and removing these deps). What do you think, are these
dependencies safe to remove?

> Remove HttpClient dependency
> ----------------------------
>
>                 Key: PIG-5302
>                 URL: https://issues.apache.org/jira/browse/PIG-5302
>             Project: Pig
>          Issue Type: Bug
>            Reporter: Nandor Kollar
>            Assignee: Nandor Kollar
>         Attachments: PIG-5302_1.patch, PIG-5302_2.patch, ivy-report.css, org.apache.pig-pig-compile.html
>
>
> Pig depends on Apache Commons HttpClient 3.1 which is an old version with security problems
([CVE-2015-5262|https://cve.mitre.org/cgi-bin/cvename.cgi?name=%20CVE-2015-5262])
> Also, Pig depends on Apache HttpComponents (it also needs update to newer version due
to similar reason), which is the successor of HttpClient, thus we should remove HttpClient
dependency, and update HttpComponents to 4.4+



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message