[jira] [Commented] (SPARK-16769) httpclient classic dependency - potentially a patch required?

Fri, 29 Jul 2016 09:47:59 -0700 

    [ 
https://issues.apache.org/jira/browse/SPARK-16769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399654#comment-15399654
 ] 

Marcelo Vanzin commented on SPARK-16769:
----------------------------------------

I'm not sure either... it's probably baggage from Hive that wasn't properly 
investigated / cleaned up.

A quick "git grep" on the Hive source repo shows that the http client lib is 
used by tests and by the jdbc driver code, so Spark shouldn't need it.

[~steve_l] made most of the recent changes to Spark's hive pom, maybe he can 
recall why the http client dependency is explicitly listed?

> httpclient classic dependency - potentially a patch required?
> -------------------------------------------------------------
>
>                 Key: SPARK-16769
>                 URL: https://issues.apache.org/jira/browse/SPARK-16769
>             Project: Spark
>          Issue Type: Improvement
>          Components: Build
>    Affects Versions: 1.6.2, 2.0.0
>         Environment: All Spark versions, any environment
>            Reporter: Adam Roberts
>            Priority: Minor
>
> In our jars folder for Spark we provide a jar with a CVE 
> https://www.versioneye.com/java/commons-httpclient:commons-httpclient/3.1. 
> CVE-2012-5783
> This paper outlines the problem
> www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
> My question is: do we need to ship this version as well or is it only used 
> for tests? Is it a patched version? I plan to run without this dependency and 
> if there are NoClassDefFound problems I'll add <scope>test</scope> so we 
> don't ship it (downloading it in the first place is bad enough though)
> Note that this is valid for all versions, suggesting it be raised to a 
> critical if Spark functionality is depending on it because of what the pdf 
> I've linked to mentions
> Here is the jar being included:
> ls $SPARK_HOME/jars | grep "httpclient"
> commons-httpclient-3.1.jar
> httpclient-4.5.2.jar
> The first jar potentially contains the security issue, could be a patched 
> version, need to verify. SHA1 sum for this jar is 
> 964cd74171f427720480efdec40a7c7f6e58426a



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to