[
https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15416067#comment-15416067
]
stack commented on HBASE-16267:
-------------------------------
+1 on patch. Fix the release note. Doesn't make mention of why and doesn't make
sense as written (what is the 'it' referred to). You want to hoist the CVE up
into the release note? That'd help folks trying to figure why this issue.
Thanks.
> Remove commons-httpclient dependency from hbase-rest module
> -----------------------------------------------------------
>
> Key: HBASE-16267
> URL: https://issues.apache.org/jira/browse/HBASE-16267
> Project: HBase
> Issue Type: Bug
> Reporter: Ted Yu
> Assignee: Ted Yu
> Priority: Critical
> Fix For: 2.0.0
>
> Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt,
> 16267.v13.txt, 16267.v14.txt, 16267.v15.txt, 16267.v2.txt, 16267.v4.txt,
> 16267.v6.txt, 16267.v8.txt, 16267.v9.txt
>
>
> hbase-rest module still has imports from org.apache.commons.httpclient .
> There is more work to be done after HBASE-15767 was integrated.
> In master branch, there seems to be transitive dependency which allows the
> code to compile:
> {code}
> [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile
> [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile
> [INFO] | +- commons-cli:commons-cli:jar:1.2:compile
> [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile
> [INFO] | +- xmlenc:xmlenc:jar:0.52:compile
> [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile
> {code}
> HADOOP-12767
> to move the uses of httpclient HADOOP-10105
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 :
> http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents
> HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting
> during an SSL handshake, which allows remote attackers to cause a denial of
> service (HTTPS call hang) via unspecified vectors.
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783
> Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments
> Service (FPS) merchant Java SDK and other products, does not verify that the
> server hostname matches a domain name in the subject's Common Name (CN) or
> subjectAltName field of the X.509 certificate, which allows man-in-the-middle
> attackers to spoof SSL servers via an arbitrary valid certificate.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
