[jira] [Work logged] (HIVE-24837) Upgrade httpclient to 4.5.13+

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/HIVE-24837?focusedWorklogId=560218&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-560218
 ]

ASF GitHub Bot logged work on HIVE-24837:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 03/Mar/21 00:09
            Start Date: 03/Mar/21 00:09
    Worklog Time Spent: 10m 
      Work Description: hsnusonic closed pull request #2032:
URL: https://github.com/apache/hive/pull/2032


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 560218)
    Time Spent: 20m  (was: 10m)

> Upgrade httpclient to 4.5.13+
> -----------------------------
>
>                 Key: HIVE-24837
>                 URL: https://issues.apache.org/jira/browse/HIVE-24837
>             Project: Hive
>          Issue Type: Improvement
>            Reporter: Yu-Wen Lai
>            Assignee: Yu-Wen Lai
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 4.0.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
>  
> Hive is using httpclients 4.5.6. We will need to upgrade httpclient and 
> httpcore.
> {quote}CVSSv2:
>  Base Score: MEDIUM (5.0)
>  Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N
>  CVSSv3:
>  Base Score: MEDIUM (5.3)
>  Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
> CVE-2020-13956: Apache HttpClient incorrect handling of malformed
>  authority component in request URIs
> Severity: Medium
> Vendor:
>  The Apache Software Foundation
> Versions Affected:
>  Apache HttpClient 4.5.12 and prior 
>  Apache HttpClient 5.0.2 and prior
> Description:
> Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can
>  misinterpret malformed authority component in request URIs passed to
>  the library as java.net.URI object and pick the wrong target host for
>  request execution.
> Mitigation:
> As of release 4.5.13 and 5.0.3 HttpClient will reject URIs with
>  ambiguous malformed authority component as invalid. Users of HttpClient
>  are advised to upgrade to version 4.5.13 or 5.0.3 and sanitize request
>  URIs when using java.net.URI as input.
> Credit:
>  This issue was discovered and reported by Priyank Nigam
> {quote}
> Reference:
>  * [https://www.openwall.com/lists/oss-security/2020/10/08/4]
>  * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956]
>  * [https://nvd.nist.gov/vuln/detail/CVE-2020-13956]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)