spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adam Roberts (JIRA)" <>
Subject [jira] [Commented] (SPARK-16769) httpclient classic dependency - potentially a patch required?
Date Thu, 28 Jul 2016 18:55:20 GMT


Adam Roberts commented on SPARK-16769:

Thanks, looking on Maven central I see the latest jets3t version is 0.9.4 so I've removed
the commons-httpclient dependency from both the main pom.xml and the hive pom.xml and I'm
building/testing now to see if anything breaks on master before trying the same on branch-1.6

This line in the main pom is indeed pulling in the bad jar 


and any jets3t 0.9.x version doesn't mention the commons-httpclient dependency

Pending anything breaking I'll create a JIRA and pull request to up the version and get rid
of the classic one - unless something is really dependent on 0.7.1 in which case we may have
some code to modify if the API changed

> httpclient classic dependency - potentially a patch required?
> -------------------------------------------------------------
>                 Key: SPARK-16769
>                 URL:
>             Project: Spark
>          Issue Type: Question
>          Components: Build
>    Affects Versions: 1.6.2, 2.0.0
>         Environment: All Spark versions, any environment
>            Reporter: Adam Roberts
> In our jars folder for Spark we provide a jar with a CVE
> This paper outlines the problem
> My question is: do we need to ship this version as well or is it only used for tests?
Is it a patched version? I plan to run without this dependency and if there are NoClassDefFound
problems I'll add <scope>test</scope> so we don't ship it (downloading it in the
first place is bad enough though)
> Note that this is valid for all versions, suggesting it be raised to a critical if Spark
functionality is depending on it because of what the pdf I've linked to mentions
> Here is the jar being included:
> ls $SPARK_HOME/jars | grep "httpclient"
> commons-httpclient-3.1.jar
> httpclient-4.5.2.jar
> The first jar potentially contains the security issue, could be a patched version, need
to verify. SHA1 sum for this jar is 964cd74171f427720480efdec40a7c7f6e58426a

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message