[
https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15415702#comment-15415702
]
Josh Elser commented on HBASE-16267:
------------------------------------
bq. If security vulnerability, whats difference if included explicitly or
implicitly?
Is the vulnerability in the client itself, so by not using the older client,
we're safe at runtime? Do you have the CVE handy, [~tedyu]? It would be good
for us to be able to point to the issue where we addressed the CVE (since
security orgs are going to approaching it that way). This would also help in
our understanding here in HBase-land on the scope of the issue.
> Remove commons-httpclient dependency from hbase-rest module
> -----------------------------------------------------------
>
> Key: HBASE-16267
> URL: https://issues.apache.org/jira/browse/HBASE-16267
> Project: HBase
> Issue Type: Bug
> Reporter: Ted Yu
> Assignee: Ted Yu
> Priority: Critical
> Fix For: 2.0.0
>
> Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt,
> 16267.v13.txt, 16267.v14.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt,
> 16267.v8.txt, 16267.v9.txt
>
>
> hbase-rest module still has imports from org.apache.commons.httpclient .
> There is more work to be done after HBASE-15767 was integrated.
> In master branch, there seems to be transitive dependency which allows the
> code to compile:
> {code}
> [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile
> [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile
> [INFO] | +- commons-cli:commons-cli:jar:1.2:compile
> [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile
> [INFO] | +- xmlenc:xmlenc:jar:0.52:compile
> [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
