[ https://issues.apache.org/jira/browse/OOZIE-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15411438#comment-15411438 ]
Hadoop QA commented on OOZIE-2538: ---------------------------------- Testing JIRA OOZIE-2538 Cleaning local git workspace ---------------------------- {color:green}+1 PATCH_APPLIES{color} {color:green}+1 CLEAN{color} {color:red}-1 RAW_PATCH_ANALYSIS{color} . {color:green}+1{color} the patch does not introduce any @author tags . {color:green}+1{color} the patch does not introduce any tabs . {color:green}+1{color} the patch does not introduce any trailing spaces . {color:green}+1{color} the patch does not introduce any line longer than 132 . {color:red}-1{color} the patch does not add/modify any testcase {color:green}+1 RAT{color} . {color:green}+1{color} the patch does not seem to introduce new RAT warnings {color:green}+1 JAVADOC{color} . {color:green}+1{color} the patch does not seem to introduce new Javadoc warnings {color:green}+1 COMPILE{color} . {color:green}+1{color} HEAD compiles . {color:green}+1{color} patch compiles . {color:green}+1{color} the patch does not seem to introduce new javac warnings {color:green}+1 BACKWARDS_COMPATIBILITY{color} . {color:green}+1{color} the patch does not change any JPA Entity/Colum/Basic/Lob/Transient annotations . {color:green}+1{color} the patch does not modify JPA files {color:red}-1 TESTS{color} . Tests run: 1792 . Tests failed: 2 . Tests errors: 0 . The patch failed the following testcases: . testCoordStatus_Killed(org.apache.oozie.command.coord.TestCoordChangeXCommand) . testMessage_withMixedStatus(org.apache.oozie.command.coord.TestAbandonedCoordChecker) {color:green}+1 DISTRO{color} . {color:green}+1{color} distro tarball builds with the patch ---------------------------- {color:red}*-1 Overall result, please check the reported -1(s)*{color} The full output of the test-patch run is available at . https://builds.apache.org/job/oozie-trunk-precommit-build/3205/ > Update HttpClient versions to close security vulnerabilities > ------------------------------------------------------------ > > Key: OOZIE-2538 > URL: https://issues.apache.org/jira/browse/OOZIE-2538 > Project: Oozie > Issue Type: Bug > Components: core > Reporter: abhishek bafna > Assignee: abhishek bafna > Fix For: 4.3.0 > > Attachments: OOZIE-2538-01.patch, OOZIE-2538.patch > > > We learned that > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents > HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting > during an SSL handshake, which allows remote attackers to cause a denial of > service (HTTPS call hang) via unspecified vectors. > Also, Commons HttpClient project is now end of life, and is no longer being > developed. It has been replaced by the Apache HttpComponents project in its > HttpClient and HttpCore modules, which offer better performance and more > flexibility. http://hc.apache.org/httpclient-3.x/ > Hence, HttpClient version should be updated. -- This message was sent by Atlassian JIRA (v6.3.4#6332)