Adam Roberts created SPARK-16769:
------------------------------------
Summary: httpclient classic dependency - potentially a patch
required?
Key: SPARK-16769
URL: https://issues.apache.org/jira/browse/SPARK-16769
Project: Spark
Issue Type: Question
Components: Build
Affects Versions: 2.0.0, 1.6.2
Environment: All Spark versions, any environment
Reporter: Adam Roberts
In our jars folder for Spark we provide a jar with a CVE
https://www.versioneye.com/java/commons-httpclient:commons-httpclient/3.1.
CVE-2012-5783
This paper outlines the problem
www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
My question is: do we need to ship this version as well or is it only used for
tests? Is it a patched version? I plan to run without this dependency and if
there are NoClassDefFound problems I'll add <scope>test</scope> so we don't
ship it (downloading it in the first place is bad enough though)
Note that this is valid for all versions, suggesting it be raised to a critical
if Spark functionality is depending on it because of what the pdf I've linked
to mentions
Here is the jar being included:
ls $SPARK_HOME/jars | grep "httpclient"
commons-httpclient-3.1.jar
httpclient-4.5.2.jar
The first jar potentially contains the security issue, could be a patched
version, need to verify. SHA1 sum for this jar is
964cd74171f427720480efdec40a7c7f6e58426a
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
